Michael Blythe writes: > In September's 'Web Techniques', Lincoln Stein dicscusses the problem of > using the referer header as an authentication method for CGI scripts. He > suggests using MD5 to check whether a form's fields have been tampered > with. I'm not sure if this would work with the wwwboard, because of the way > the script is passing info in hidden fields, but it will work in other > applications: > [...] > * in perl, the MD5 hash can be computed as follows: > $hash = MD5 -> hexhash(MD5->hexhash ($secret) "@untamperable @consistency"); Even though I wrote this, it turns out that this isn't the best way to compute a message authentication code (MAC). A more secure technique is this: $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable @consistency")) I explain the problems with the original scheme in the October issue of Web Techniques. Lincoln -- ======================================================================== Lincoln D. Stein Cold Spring Harbor Laboratory lsteinat_private Cold Spring Harbor, NY ========================================================================
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:15 PDT