Reply to Re: New Input type proposal

Your name:

Reply:


Posted by Alexander Mueller on 01/10/08 22:31

Ben C wrote:
>
> So why wouldn't this work just as well:
>
> 1. The user requests a site.
> 2. The server sends the login form, which also contains a hidden input
> whose value is a number picked out of a hat, which we call x.
> 3. The user enters the necessary information and submits the form.
> 4. The browser receives in the formdata at least two items: the password
> and a number. It checks the user's password (by hashing it and
> looking for it in a list of stored hashes, for the sake of argument)
> and also that the number is equal to x. If either check fails it
> refuses to go any further. Either way it makes a note never to accept
> x again.

An attacker would have determined both values, discarded the number,
send his own request which gets him his own number and sends the
password along with his number. There he goes.

Alexander

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация