The original article did suggest incorporating the IP address and a timestamp in the hash function. The main point of the article was that using just the Referer field for security was a very bad idea. I sure hope this thread will be killed soon! Lincoln David Schwartz writes: > > You should also be including a timestamp and an originator IP in the hash > function. Otherwise you are vulnerable to interception and replay attacks. > If you're going to do it, you might as well do it right. > > DS > > > Even though I wrote this, it turns out that this isn't the best way to > > compute a message authentication code (MAC). A more secure technique > > is this: > > > > $hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable > > @consistency")) > > > > I explain the problems with the original scheme in the October issue > > of Web Techniques. > > > > Lincoln > > > > -- > > ======================================================================== > > Lincoln D. Stein Cold Spring Harbor Laboratory > > lsteinat_private Cold Spring Harbor, NY > > ======================================================================== > > -- ======================================================================== Lincoln D. Stein Cold Spring Harbor Laboratory lsteinat_private Cold Spring Harbor, NY ========================================================================
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:19:22 PDT