At 04:58 PM 27/12/01, Roland wrote:
>>2 questions/points:
>>* You're assuming here that there's no way to fake the session, I presume?
>>* How do propose to share this "random number" without Eve the
>>Eavesdropper finding it out?
>>
>>Given that either the session or the "random" number can be maintained
>>secret (and you only use the secret one), this is a viable solution.
>>Keeping these two elements secret is another matter.
>
>The point is, you can't keep the sessionId/randomNumber secret and you
>also don't NEED to keep it secret! In other words, it doesn't help the
>attacker to know the random number or session Id. What really needs to be
>kept secret is the password, which will never be sent over the net in
>plaintext! The point is, the server determines the random
>number/sessionId, and if the hacker sends the same hash that the original
>user sent, it won't work, because the server will then be expecting a
>different sessionId/randomNr.
Assuming, like I said, the attacker can't fake the session. (If the only
way your handling sessions is with a session attribute in the request
string, that shouldn't be too difficult to do.)
--
* Jim Cheesman *
Trabajo:
[EMAIL PROTECTED] - (34)(91) 724 9200 x 2360
Prepositions are not
words to end sentences with.
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
