|
|
Posted by Marcus on 11/14/05 20:10
Oli Filth wrote:
> Gordon Burditt said the following on 14/11/2005 15:17:
>
>>> However, this part of his (and all the other similar articles)
>>> doesn't make sense to me.
>>>
>>> session_start();
>>> $fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGENT'];
>>> $_SESSION['fingerprint'] = md5($fingerprint . session_id());
>>>
>>> "With a fingerprint that is difficult to guess, little is gained
>>> without leveraging this information in an additional way than
>>> demonstrated thus far."
>>>
>>> I don't really understand how this is more secure than just feeding
>>> $_SERVER['HTTP_USER_AGENT'] into md5() without the secret seed, but I
>>> must be missing something because everybody that talks about
>>> fingerprinting seems to advocate adding a seed.
>>
>>
>>
>> Consider other threats than the user. If someone manages to snoop
>> your session data (say, an employee of your hosting company), the
>> extra secret stuff makes the fingerprint a bit harder to interpret
>> and it's harder for that person to endanger your users.
>>
>> I think that argument is a bit weak, but it's a real possibility.
>
>
>
> It's possible, but if someone has that level of access to your data,
> then you're pretty much screwed anyway, I would have imagined...
>
> If they can access your session data folder, then it's probably not
> going to be much of a challenge for them to access your scripts and do
> anything they want.
>
>
Thanks guys, I will try and email Chris and see what he says. I emailed
him once before with a question about an article of his and he was very
helpful in his response, but it took a long time - I'm sure he gets
deluged with emails every day for the numerous articles he writes. In
the meantime, am I performing my check right? That is my biggest
confusion... if I am performing the
$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGENT'];
if(md5($fingerprint) != $_SESSION['fingerprint'])
{
// prompt for password
}
check correctly, I see no real reason to use the full fingerprint (other
than what Gordon pointed out). However, if I am missing something here
and should be performing the check some other way, I could definitely
see the benefit in using some sort of padding to create a fingerprint
that does not simply contain the user agent. Thanks!!!
Navigation:
[Reply to this message]
|