httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r..@ai.mit.edu (Robert S. Thau)
Subject Re: Restricting POST access from external forms?
Date Wed, 01 May 1996 14:13:12 GMT
  This obviously can't be done by the server.  Some sort of cookie mechanism,
  or an intelligent one-time password scheme passed from page to page might
  do the trick.

[going through email in as received...]

Hmmm.  That's an idea.  How about a hidden field containing the md5
digest of the client's address and a server nonce, to be used as an
authenticator?  (If you don't like md5 or random hashes, pick the
one-way function of your choice).

This won't keep away other users with access to the form contents on
the same client (e.g., someone who has cracked root on the client
machine).  You can make it more awkward for such an attacker by
tossing extra authenticators into the digest (timestamp, auth
username, whatever), but it isn't intuitively obvious that *any* such
set of extra barriers will save a sufficiently compromised client.

(One thing this scheme does prevent is a replay attack from a
*different* client, I *think* --- but you shouldn't trust your
security to five minutes of anyone's thought, of course).

rst


Mime
View raw message