The original article did suggest incorporating the IP address and a
timestamp in the hash function. The main point of the article was
that using just the Referer field for security was a very bad idea.
I sure hope this thread will be killed soon!
Lincoln
David Schwartz writes:
>
> You should also be including a timestamp and an originator IP in the hash
> function. Otherwise you are vulnerable to interception and replay attacks.
> If you're going to do it, you might as well do it right.
>
> DS
>
> > Even though I wrote this, it turns out that this isn't the best way to
> > compute a message authentication code (MAC). A more secure technique
> > is this:
> >
> > $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable
> > @consistency"))
> >
> > I explain the problems with the original scheme in the October issue
> > of Web Techniques.
> >
> > Lincoln
> >
> > --
> > ========================================================================
> > Lincoln D. Stein Cold Spring Harbor Laboratory
> > lsteinat_private Cold Spring Harbor, NY
> > ========================================================================
> >
--
========================================================================
Lincoln D. Stein Cold Spring Harbor Laboratory
lsteinat_private Cold Spring Harbor, NY
========================================================================
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:22 PDT