[Phplib-users] an interesting paper
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
[Phplib-users] an interesting paper
|
From: Giancarlo <gia...@na...> - 2003-02-28 23:23:21
|
I am reading 'Dos and Don'ts of client authenticaytion on the web', by Kevin Fu and others http://pdos.lcs.mit.edu/cookies/ it proposes an cookie recipe that is composed of 3 parts. 1. Our SID, called 's' 2. another ever-changing value (eg expiration, or even an incremetal, or a random md5 hash), called 't' 3. a third value that is a digest of the first two PLUS a secret part, 's'+'t'+secret word This way noone can invent a session ID or twiddle the expiration part, cause the third part would not match as he does not know the secret part Although phplib keeps the expiration on the db, that recipe would be OK for cookies and URL as long as the second value is ever-chainging. Gian |
