|
|
Posted by Gordon Burditt on 11/14/05 17:17
>However, this part of his (and all the other similar articles) doesn't
>make sense to me.
>
>session_start();
>$fingerprint = 'SECRETSTUFF' . $_SERVER['HTTP_USER_AGENT'];
>$_SESSION['fingerprint'] = md5($fingerprint . session_id());
>
>"With a fingerprint that is difficult to guess, little is gained without
>leveraging this information in an additional way than demonstrated thus
>far."
>
>I don't really understand how this is more secure than just feeding
>$_SERVER['HTTP_USER_AGENT'] into md5() without the secret seed, but I
>must be missing something because everybody that talks about
>fingerprinting seems to advocate adding a seed.
Consider other threats than the user. If someone manages to snoop
your session data (say, an employee of your hosting company), the
extra secret stuff makes the fingerprint a bit harder to interpret
and it's harder for that person to endanger your users.
I think that argument is a bit weak, but it's a real possibility.
Gordon L. Burditt
[Back to original message]
|