On 8 Dec 99, at 16:26, Vivek Khera wrote:
> Encryption, or store the state locally and pass a handle to that
> state, eg, a file name or database object number.
In order to do this security must be done. It is too easy for
someone to make a form and have it submit strange values to your
script.
I have a solution I'm working on implementing that should make it
possible to do this fairly securely.
Caveat - the username and password of the initial logon are sent in
cleartext from the user so this should not be used in highly secure
environments.
Any comments would be appreciated. Is this secure, overkill, too
elaborate, effective, what?
Transaction Security Plan:
User logs in and supplies username and password.
Database lookup performed confirming this and retrieving user's account number.
Session table in database:
session number (unique) - key to this table.
account number (unique)
encstring (unique) [8 characters long or whatever]
ip_address (unique) [15 characters long]
timestamp datetime
When user logs on, previous entries for that account number in the
Session table are removed. This means only one use of a given
username/password at a time.
Random session number and string to be encrypted are generated.
These are stored in the session database. (It will error if they are not
unique as required in the table spec above).
MD5 hash created for the encstring.
Sent to the client as hidden fields with each transaction:
MD5 hash
session number
User hits submit button which includes the above hidden fields and
new data submitted as part of the form.
Session number is looked up in database and compared. Error out
if there isn't one.
Encrypt string is MD5 hashed and the hash compared with the one
that came back with the form submission. Error if they don't match.
Ip address from database is compared with environment ip address
and error if they don't match.
If time stamp is over 10 minutes old [more or less depending on
environment and how careful you like to be] error is generated.
Check HTTP_REFERER environment variable. If it is not valid, error
out.
Time stamp is updated in session table if everything matches.
If user comes to the cgi script without the hidden fields matching a
session table entry, redirect them to the logon screen.
--
This is a message from the code-talk mailing list.
To unsubscribe from this list send a message to:
[EMAIL PROTECTED]
with a subject of
gbye code-talk
Send problems/queries to [EMAIL PROTECTED] with any other subject.
