[Web-SIG] safe pickle?
Ng Pheng Siong
ngps at netmemetic.com
Sat Mar 13 21:00:04 EST 2004
On Sat, Mar 13, 2004 at 02:16:22PM -0600, Ian Bicking wrote:
> >Of course, the actual contents of the stateinfo variable would be
> >untrusted at this point, but that's always there with submitted data.
>
> You need to sign your pickle. Briefly, you have a server-side secret
> (a string); you concatenate that secret string with the pickle string,
> and make a hash of that (using md5 or sha1), and put that in a second
> hidden field. When you get the hidden pickle field back, you
> reconstruct that hash and check it against the hash you received -- if
> it matches, then you know it's the same pickle you gave them.
OP may also wish to add an expiry timestamp into the mix, to prevent
replay attacks. This may be in the pickled data or added with the hashing
key.
See AuthCookies in M2Crypto (url in .sig) for an implementation.
--
Ng Pheng Siong <ngps at netmemetic.com>
http://firewall.rulemaker.net -+- Firewall Change Management & Version Control
http://sandbox.rulemaker.net/ngps -+- Open Source Python Crypto & SSL
More information about the Web-SIG
mailing list