On Thu, Jun 14, 2001 at 08:34:33PM +0200, Sverre H. Huseby wrote:
> A possible solution (for web developers) seems to be to make sure the
> user has been given an offer to do something before letting him do it:
> Give each user a unique "ticket", and for each "action" on a web page,
> bind this ticket to it. Examples on URL an form follow:
>
> http://vote.com/vote.cgi?answer=1&ticket=9871398747
>
> <input type="hidden" name="ticket" value="9871398747">
>
> When the request comes in, check if the incoming ticket matches the
> one stored in this user's session. If it does, this particular user
> was given the offer by our server, and not by anyone else. To spoof
> this system, someone would have to guess or otherwise find out what
> ticket value the victim was given by the server.
>
> To make it harder to find the ticket value given to a user, you could
> give the user many tickets, one for each possible action. This
> solution would require a "ticket pool" in the user's session. I've
> implemented the latter solution in both PHP and Java. Let me know if
> you would like some code. (It's not at all hard to implement, of
> course.)
>
>
> Sverre.
My company implemented this but went one more step. They created a file that had
(IP, ticket) pairs. The ticket was passed around in URLs, but wasn't valid unless it
came from the specific IP. To pretend to be someone else, one would have to spoof
their IP and guess the value of their (10 hour life-cycle) ticket. We did this,
originally, because we wanted to support web browsers that didn't use cookies. The
file was, actually, more like (IP, ticket, cookie-type-options-and-settings). It
worked well for us.
Sincerely,
Tim Nowaczyk
<>< Truth
