NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.
All the Perl that's Practical to Extract and Report
use Perl Log In
merlyn (47)
merlyn
merlyn@stonehenge.com
http://www.stonehenge.com/merlyn/
AOL IM: realmerlyn (Add Buddy, Send Message)
Yahoo! ID: realmerlyn (Add User, Send Message)
PAUSE-ID: MERLYN [cpan.org].
See my home page [stonehenge.com].
merlyn@stonehenge.com
http://www.stonehenge.com/merlyn/
AOL IM: realmerlyn (Add Buddy, Send Message)
Yahoo! ID: realmerlyn (Add User, Send Message)
PAUSE-ID: MERLYN [cpan.org].
See my home page [stonehenge.com].
Tuesday December 03, 2002
10:14 AM
Trusting cookies and shopping carts
About once a week, I'm seeing a BUGTRAQ note on some exploit of a shopping cart based on manipulation of cookies.
While most of these probably aren't Perl-related, I'm just amazed at how many so-called "web programmers" don't understand that trusted state should not be stored in cookies. I ranted about this in a column of mine and even provided the two-dozen lines of code required to manage cookies properly and securely.
If Netscape had only embedded a unique serial number in each browser, and not invented cookies, people would have done The Right Thing. {sigh}
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
--Larry Wall in stab.c from the perl source code
Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.
I don't think that serial numbers would help. (Score:2)
And merlyn writes: If Netscape had only embedded a unique serial number in each browser, and not invented cookies, people would have done The Right Thing. {sigh}
While that's an interesting idea, I see a couple of problems. The big one is obvious: everyone is going to scream about their privacy and they would be right. Can you imagine the field day that spammers would have once they realized they could map the serial number to a set of preferences and a name? Our government has made it clear that the
Re:I don't think that serial numbers would help. (Score:1)
The bottom line is that you have to have some of the data be held in a trusted store, so you might as well avoid the need for checking for tampering by just using a product ID of some sort.
Re:I don't think that serial numbers would help. (Score:2)
The MD5 hash works by having a secret key of data kept on the server. The hidden fields are used with the secret key to ensure that creating a new MD5 hash is non-trivial. The hacker would likely be forced to brute force the key. This would be more difficult than a typical crack because there could be many hidden fields and the attacker would have to try different combinations of them. That, combined with a random enough secret key would make the MD5 hash relatively secure. I guess I should have mentio