Timeline for Better techniques than url parameter encryption
Current License: CC BY-SA 3.0
7 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 17, 2012 at 18:16 | comment | added | D.W. | @symcbean, Nice solution. I took the liberty of editing your answer to reflect using a static crypto key. Hope that was OK. +1, nice answer. | |
| Jul 17, 2012 at 18:16 | history | edited | D.W. | CC BY-SA 3.0 | implement suggestion to use a static crypto key |
| Jul 17, 2012 at 16:05 | comment | added | symcbean | @D.W.: true - using a static value held server side in place of session_id() solves this and resolves the bookmark issue (with the option of using te username as well as the secret static value to prevent portability of bookmarks). | |
| Jul 16, 2012 at 21:51 | comment | added | avgvstvs | I will stress that SSL is already being used. I'm not concerned with what's between client and server, I'm concerned with what the client will be sending in to snoop. | |
| Jul 16, 2012 at 18:19 | comment | added | D.W. | The hash method in the second half of your algorithm is broken and adds no security whatsoever. I know my own session ID (it is in my session cookie) so if I am evil, I can choose any parameter value I want, calculate the appropriate MD5, and ensure that the server-side validation check passes. You probably want a message authentication code (MAC), not a hash function, but the MAC key needs to be stored solely on the server and never sent to clients. | |
| Jul 16, 2012 at 15:46 | history | edited | symcbean | CC BY-SA 3.0 | added 292 characters in body |
| Jul 16, 2012 at 15:27 | history | answered | symcbean | CC BY-SA 3.0 |