|
|
Posted by Oli Filth on 11/14/05 19:32
Gordon Burditt said the following on 14/11/2005 15:17:
>>However, this part of his (and all the other similar articles) doesn't
>>make sense to me.
>>
>>session_start();
>>$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGENT'];
>>$_SESSION['fingerprint'] = md5($fingerprint . session_id());
>>
>>"With a fingerprint that is difficult to guess, little is gained without
>>leveraging this information in an additional way than demonstrated thus
>>far."
>>
>>I don't really understand how this is more secure than just feeding
>>$_SERVER['HTTP_USER_AGENT'] into md5() without the secret seed, but I
>>must be missing something because everybody that talks about
>>fingerprinting seems to advocate adding a seed.
>
>
> Consider other threats than the user. If someone manages to snoop
> your session data (say, an employee of your hosting company), the
> extra secret stuff makes the fingerprint a bit harder to interpret
> and it's harder for that person to endanger your users.
>
> I think that argument is a bit weak, but it's a real possibility.
It's possible, but if someone has that level of access to your data,
then you're pretty much screwed anyway, I would have imagined...
If they can access your session data folder, then it's probably not
going to be much of a challenge for them to access your scripts and do
anything they want.
--
Oli
Navigation:
[Reply to this message]
|