Re: Passing data between frames

Mark Reardon wrote:
> I use large handles (512 bit or larger) and I encrypt them

That sounds unnecessarily complex. Why bother with the encryption/decryption cycle?

Hash the browser ID, source IP and some salt. Put the hash into cookie. The same cookie goes into the database with whatever information you're tracking, using the hash as your primary key.

When you receive a cookie, recompute the hash from the same values and compare. If they match, retrieve the values from the database. If they don't, you could probably still flush the table entry based on the browser ID and source IP, although that may not be sufficiently unique.

> To narrow that window, table entries are

Is the uniqueness really required?

If so, you can still easily do this with just hashes. Use the same approach to handle salt values in password files - just prepend the sequence number to the hash before encoding it in hex or base64 for your cookie. When you get a cookie, pull the salt value and use it to generate the new hash. The table could/should also contain the current sequence number. Received on Fri Mar 28 19:28:01 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek