Re: Query regarding the security token

Thu, 22 May 2008 01:12:46 -0700 

See this bit in the <trunk>/php/config.php:

        // The html / javascript samples use a plain text demo token,
        // set this to false on anything resembling a real site
        'allow_plaintext_token' => true,
        

On May 22, 2008, at 10:07 AM, Lini H - Clarion, India wrote:


Hi Chris,
Ok now both ways, i.e the iframe generated in php or by the javascript, the request is sent to the shindig server, which will accept and process the token. So will it process both the encrypted as well as the plain text token? 

Regards,
     Lini Haridas
     Software Engineer

     [EMAIL PROTECTED]
     Clarion Technologies
     SEI CMMI Level 3 Company

     4th Floor, Great Eastern Plaza,
     Airport Road,
     Pune- 411 006,
     Maharashtra, India.
     Phone: +91 20 66020289
     Mobile: +91 9823435917
     www.clariontechnologies.co.in

----- Original Message -----
From: "Chris Chabot" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, May 22, 2008 1:06 PM
Subject: Re: Query regarding the security token



The javascript sample files use a security token in the following
format: st=john.doe:john.doe:appid:cont:url:0

To be honest, that's only useful for examples, not for real world
applications ... since to be 'secure' it needs to be tamper proof, and 
clear text clearly is not :)
A real container would create a proper (encrypted) security token with 
a private key the container / gadget server share, so that the token
can be verified for validity. the code you would see in 
http://code.google.com/p/partuza/source/browse/trunk/Application/Views/gadget/gadget.php
is a simple example of how to do that.

-- Chris

On May 22, 2008, at 9:09 AM, Lini H - Clarion, India wrote:


Hi Chris,

I checked the script that creates the security token, both in the
javascript gadget file as well as the php file. The php version
encrypts the token using HMAC and base 64 whereas the security token
is used directly in the javascript container gadget file. Now what
problem does this difference will cause?

Regards,
    Lini Haridas
    Software Engineer

    [EMAIL PROTECTED]
    Clarion Technologies
    SEI CMMI Level 3 Company

    4th Floor, Great Eastern Plaza,
    Airport Road,
    Pune- 411 006,
    Maharashtra, India.
    Phone: +91 20 66020289
    Mobile: +91 9823435917
    www.clariontechnologies.co.in

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Reply via email to