|Perl: the Markov chain saw|
Re: Is this a secure way to prevent cookie tamperingby jayrom (Pilgrim)
|on Jun 30, 2004 at 14:23 UTC||Need Help??|
I agree with hardburn.
What I use is taken from Lincoln Stein's Apache Modules book. I create a string which is passed to the cookie and is also saved in a database for comparison.
It might be overkill but the cookie string is updated on each page as one of the fields used to create it is a timestamp. As Lincoln points out this is extremely sensitive to the smallest change in passed parameters, therefore is very hard to spoof and (almost) insures randomness.
The $secret variable holds a 128 character string, which should be as random as possible.
The @fields array holds whatever data you want to use, as stated before preferably not relevant user data, which combination should of course be unique for each session.
Changing the $secret string on a regular basis will also provide peace of mind ;-)
It looks like the book had a typo as this correct version of the code appears somewhere else in the book.
Sorry Lincoln, my bad!