Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister

Re: Re: Check the cookie for changes

by drewbie (Chaplain)
on Mar 26, 2002 at 17:53 UTC ( #154452=note: print w/replies, xml ) Need Help??

in reply to Re: Check the cookie for changes
in thread Web based password management (or how *not* to blame tye)

Anyone who modifies the cookie can also recompute the hash value so that it matches. To prevent that, you need to include secret information in the hash itself -- see Digest::HMAC. If you go that route, you can eliminate the need to store session information on the web server at all.

I'm not sure if we're talking about the same thing here or not. The hash I mentioned is a MAC of the cookie value you are sending along w/ a secret string stored on the server. This MAC does prevent the attacker from regenerating the cookie. A good example of this in Apache::TicketTool::make_ticket discussed in the mod_perl book (Writing Apache Modules in Perl and C by Stein & MacEachern) page 317.

So I think we're talking about the same thing. I haven't had time to finish reading RFC 2104 (which Digest::HMAC implements), so I can't be sure. But I know the method I mentioned has been widely discussed as reasonably secure.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://154452]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (4)
As of 2020-09-20 20:47 GMT
Find Nodes?
    Voting Booth?
    If at first I donít succeed, I Ö

    Results (122 votes). Check out past polls.