[FX.php List] How to avoid URL counterfeiting

DC dan.cynosure at dbmscan.com
Thu Jun 28 13:39:27 MDT 2007


if you are really concerned about someone compromising your URLs by
cracking md5 or sha1 then you shouldn't use URLs with encoded data.

i think for the most part (unless you are working on state secrets),
you'll do fine with either.

but, this article says that even sha1 is crackable:
http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

dan

Gjermund Gusland Thorsen had written:
> Never use md5() use sha1() instead.
> 
> ggt667
> 
> On 6/28/07, William Downs <william.downs at gmail.com> wrote:
>> Thanks guys for all the suggestions - and thanks Joel for the thread -
>>
>> These values will vary throughout a user's session - as a Sales
>> person, I have perhaps 10 contacts - I can view only these, as a
>> manager I have 5 salespersons, I may view all of their contacts, but
>> not those  from another sales team (centre) --
>>
>> I will have a look all the same at using a comparison in the session -
>> I can re - set a session value when I land on the page.
>>
>> Will get back to you tomorrow
>>
>> William
>>
>> On 6/28/07, Joel Shapiro <jsfmp at earthlink.net> wrote:
>> > Hi William
>> >
>> > Are the salesId and/or conID going to be unique per session, after
>> > login perhaps?  If so, then you should be able to set them as session
>> > variables (as you suggest) and leave them out of the URL altogether.
>> > Your called page (filename.php) could then just use the session
>> > variables in place of $_GET['salesId'] and/or $_GET['conID'].
>> >
>> > Or are these values going to vary throughout a user's session?
>> >
>> > Since you like looking at the archives... there was a thread I had
>> > started on April 24, 2006 entitled "Disallowing access thru modifying
>> > url?" that had some great responses.  (That was way early in my PHP
>> > life... I didn't even know what the term GET meant -- yoiks! :)
>> >
>> > -Joel
>> >
>> >
>> > On Jun 28, 2007, at 4:54 AM, William Downs wrote:
>> >
>> > > Hi guys -
>> > >
>> > > excellent breadth of knowledge here I have to say ! - but a lot of
>> > > archive material to get through !
>> > >
>> > > I am forced sometimes to use header : Location:
>> > > filename.php?salesId=$salesId&conID=$conID - but an inquisitive user
>> > > (or a malicious one) may of course swap out the ids - what's the best
>> > > method of not allowing this to happen ? - I will log them out of
>> > > course if they try this :-)
>> > >
>> > > I am thinking about setting session variables and comparing them to
>> > > the request variables, but is the correct method ?
>> > >
>> > > William
>> > > --
>> > > To see victory only when it is within the ken of the common herd is
>> > > not the acme of excellence.
>> > > _______________________________________________
>> > > FX.php_List mailing list
>> > > FX.php_List at mail.iviking.org
>> > > http://www.iviking.org/mailman/listinfo/fx.php_list
>> >
>> > _______________________________________________
>> > FX.php_List mailing list
>> > FX.php_List at mail.iviking.org
>> > http://www.iviking.org/mailman/listinfo/fx.php_list
>> >
>>
>>
>> -- 
>> William Downs
>> Development and Support
>> BD Databases Ltd
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
> 



More information about the FX.php_List mailing list