[nycphp-talk] NEW PHundamentals Question
Dan Cech
dcech at phpwerx.net
Mon Feb 9 22:26:55 EST 2004
I'm with Jon on this one.
One-time only tokens tied to the session and with an expiry date are
wonderful pieces of gear.
I leave securing the session as an exercise for the user, at present I
use a system which links each session to a single IP, making it somewhat
more difficult to implement CSRF type attacks...though as with any
system a determined attacker could manage to get around it.
Dan
jon baer wrote:
> the last method was session hashing for the page to create a unique entry
> token and then hiding it ...
>
> <input type="hidden" name="priv_key" value="32-bit/md5">
>
> if the sessions + keys didnt match you would know they came from somewhere
> else. i think the real key is just to have something unique in your POST as
> to distinguish it from something else. this method is actually pretty
> similar to using the graphic except the server does the work. one time keys
> work for pretty much anything.
>
> im guessing cookie dropping can work as well since the would have to come
> from @ least one entry page on your website before spotting the
> registration. would be interested in what the php security cookbook has to
> say about this :-)
>
> - jon
>
> ----- Original Message -----
> From: "Jeff Siegel" <jsiegel1 at optonline.net>
> To: "NYPHP Talk" <talk at lists.nyphp.org>
> Sent: Monday, February 09, 2004 9:58 PM
> Subject: Re: [nycphp-talk] NEW PHundamentals Question
>
>
>
>>That's one method that's growing in popularity.
>>Prior to using this method, was there another method that you've used?
>>
>>Jeff
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>
More information about the talk
mailing list