Referer (was Patches for wwwboard.pl)

lsteincshl.org

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: pedwardWEBCOM.COM: "Followup to FP98 and other Frontpage bugs"
• Previous message: Randy Richardson: "Re: More Rconsole stuff"
• In reply to: Michael Blythe: "Referer (was Patches for wwwboard.pl)"
• Next in thread: David Schwartz: "Re: Referer (was Patches for wwwboard.pl)"

Michael Blythe writes:
 > In September's 'Web Techniques', Lincoln Stein dicscusses the problem of
 > using the referer header as an authentication method for CGI scripts. He
 > suggests using MD5 to check whether a form's fields have been tampered
 > with. I'm not sure if this would work with the wwwboard, because of the way
 > the script is passing info in hidden fields, but it will work in other
 > applications:
 >  [...]
 > * in perl, the MD5 hash can be computed as follows:
 > $hash = MD5 -> hexhash(MD5->hexhash ($secret) "untamperable consistency");

Even though I wrote this, it turns out that this isn't the best way to
compute a message authentication code (MAC).  A more secure technique
is this:

 $hash=MD5->hexhash($secret . MD5->hexhash("$secret untamperable consistency"))

I explain the problems with the original scheme in the October issue
of Web Techniques.

Lincoln

--
========================================================================
Lincoln D. Stein                           Cold Spring Harbor Laboratory
lsteincshl.org                                   Cold Spring Harbor, NY
========================================================================

• Next message: pedwardWEBCOM.COM: "Followup to FP98 and other Frontpage bugs"
• Previous message: Randy Richardson: "Re: More Rconsole stuff"
• In reply to: Michael Blythe: "Referer (was Patches for wwwboard.pl)"
• Next in thread: David Schwartz: "Re: Referer (was Patches for wwwboard.pl)"