WebApp Sec mailing list archives
Re: Passing data between frames
From: Bear Giles <bgiles () coyotesong com>
Date: Fri, 28 Mar 2003 17:25:18 -0700
Mark Reardon wrote:
I use large handles (512 bit or larger) and I encrypt them using a hash of the browser ID and high byte of the source IPaddress. I then place the handle in a cookie. I then add it to a table, and place the table index into a cookie. The tablealso has either the information being passed or a pointer to it.
That sounds unnecessarily complex. Why bother with the encryption/decryption cycle?
Hash the browser ID, source IP and some salt. Put the hash into cookie. The same cookie goes into the database with whatever
information you're tracking, using the hash as your primary key.When you receive a cookie, recompute the hash from the same values and compare. If they match, retrieve the values from the database. If they don't, you could probably still flush the table entry based on the browser ID and source IP, although that may not be sufficiently unique.
To narrow that window, table entries are timed (short) and only available once.
Is the uniqueness really required?If so, you can still easily do this with just hashes. Use the same approach to handle salt values in password files - just prepend the sequence number to the hash before encoding it in hex or base64 for your cookie. When you get a cookie, pull the salt value and use it to generate the new hash. The table could/should also contain the current sequence number.
Current thread:
- Passing data between frames Chris Neil (Mar 28)
- RE: Passing data between frames Vinny Bedus (Mar 28)
- <Possible follow-ups>
- Re: Passing data between frames Mark Reardon (Mar 28)
- Re: Passing data between frames Bear Giles (Mar 28)
- Re: Re: Passing data between frames Mark Reardon (Mar 31)