|
|
Posted by Oli Filth on 11/14/05 14:54
Marcus said the following on 14/11/2005 08:10:
> I have read quite a few articles on "fingerprinting" a user when they
> start a session. Chris Shiflett has a good article here:
>
> http://shiflett.org/articles/the-truth-about-sessions
>
> However, this part of his (and all the other similar articles) doesn't
> make sense to me.
>
> session_start();
> $fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGENT'];
> $_SESSION['fingerprint'] = md5($fingerprint . session_id());
>
> "With a fingerprint that is difficult to guess, little is gained without
> leveraging this information in an additional way than demonstrated thus
> far."
>
> I don't really understand how this is more secure than just feeding
> $_SERVER['HTTP_USER_AGENT'] into md5() without the secret seed, but I
> must be missing something because everybody that talks about
> fingerprinting seems to advocate adding a seed.
I agree. Equally, I don't see what benefits using md5() gives at all.
Why not just store $_SERVER['HTTP_USER_AGENT'] in $_SESSION directly?
--
Oli
Navigation:
[Reply to this message]
|