laziness, impatience, and hubris | |
PerlMonks |
comment on |
( [id://3333]=superdoc: print w/replies, xml ) | Need Help?? |
I agree with hardburn.
What I use is taken from Lincoln Stein's Apache Modules book. I create a string which is passed to the cookie and is also saved in a database for comparison. It might be overkill but the cookie string is updated on each page as one of the fields used to create it is a timestamp. As Lincoln points out this is extremely sensitive to the smallest change in passed parameters, therefore is very hard to spoof and (almost) insures randomness. The $secret variable holds a 128 character string, which should be as random as possible. The @fields array holds whatever data you want to use, as stated before preferably not relevant user data, which combination should of course be unique for each session. Changing the $secret string on a regular basis will also provide peace of mind ;-) Update It looks like the book had a typo as this correct version of the code appears somewhere else in the book. Sorry Lincoln, my bad! jayrom In reply to Re: Is this a secure way to prevent cookie tampering
by jayrom
|
|