|
|
Posted by Ben C on 01/11/08 08:34
On 2008-01-10, Alexander Mueller <noemail@example.org> wrote:
> Ben C wrote:
>>
>> So why wouldn't this work just as well:
>>
>> 1. The user requests a site.
>> 2. The server sends the login form, which also contains a hidden input
>> whose value is a number picked out of a hat, which we call x.
>> 3. The user enters the necessary information and submits the form.
>> 4. The browser receives in the formdata at least two items: the password
>> and a number. It checks the user's password (by hashing it and
>> looking for it in a list of stored hashes, for the sake of argument)
>> and also that the number is equal to x. If either check fails it
>> refuses to go any further. Either way it makes a note never to accept
>> x again.
>
> An attacker would have determined both values, discarded the number,
> send his own request which gets him his own number and sends the
> password along with his number. There he goes.
I see. I think you're right, that is better. This way no replay attack
will work: no part of the code that gets you in (hash of
password+replaysalt) is ever the same twice.
This could be done in JS already (I wonder if anyone does that?) but it
would be more convenient and become more widely used if it was built
into the <input> element as you're suggesting.
Navigation:
[Reply to this message]
|