Posted by Marcus on 11/14/05 20:38

I think I just figured out the reasoning...

Oli, in response to what you said, I believe we don't want to just store
the user agent in the session in plain text because if an attacker were
to hijack the session, he would easily know what user agent to spoof in
order to trick the system into thinking he is the legit user.

Even with the md5 representation, I don't think it would be *that*
difficult for an attacker who was motivated to supply the correct user
agent for a compromised session, although obviously it would be more
difficult than plain text.

I believe the reason for padding the fingerprint with extra data is so
that if an attacker does in fact hijack a session, it would be tougher
for him to reverse engineer what the user agent is from the saved
fingerprint (as opposed to plain text or the md5 of just the browser).

Someone please correct me if I am wrong, but as far as I know md5 is a
one way function, i.e. we can't reverse it and come back to our original
string.

• Next in forum: Re: fingerprinting and HTTP_USER_AGENT
• Prev in forum: Re: Word/Excel file generation
• Thread view: Re: fingerprinting and HTTP_USER_AGENT

[Reply to this message]