mailing list archives
Re: Referer (was Patches for wwwboard.pl)
From: davids () WEBMASTER COM (David Schwartz)
Date: Mon, 12 Oct 1998 14:48:19 -0700
You should also be including a timestamp and an originator IP in the hash
function. Otherwise you are vulnerable to interception and replay attacks.
If you're going to do it, you might as well do it right.
Even though I wrote this, it turns out that this isn't the best way to
compute a message authentication code (MAC). A more secure technique
$hash=MD5->hexhash($secret . MD5->hexhash("$secret @untamperable
I explain the problems with the original scheme in the October issue
of Web Techniques.
Lincoln D. Stein Cold Spring Harbor Laboratory
lstein () cshl org Cold Spring Harbor, NY