Re: [WebDNA] Encode cookies ONLY via "method=Base64"
This WebDNA talk-list message is from 2008
It keeps the original formatting.
numero = 101260
interpreted = N
texte = KenTry "hiding" the value inside a longer string and then use getchars to get the true valueI resorted to this technique some time ago when I ended up with problems.StuartOn 27/10/2008, at 10:02 AM, Kenneth Grome wrote:>> sometimes a second decrypt and/or unurl>> is needed.>> A different number of decrypts and encrypts never works, you> must always use the same number of these contexts. A> different number of urls and unurls is definitely necessary> sometimes:>>>> Syntax reminder on variable (straight), and database>> encryption:>> Straight encryption: same amount of [url]'s going in as>> comming out>> Database encryption: one more [url] going in>> than comming out>> Right, thanks for the reminder.>> With the cookies I first tried the same number of urls and> unurls but it was failing, so then I tried using one more> url going in -- because I thought that *maybe* using> cookies is similar to using a database. But this theory> was wrong because an extra url with cookies does not fix> the problem like it does with a database.>>>> Could you please tell us what server you're using?>> My client's Windows server running WebDNA 6.?>>>> I have found the same thing as Ken has, and that it>> is on our list of potential bugs that we are addressing.>> The scope appears to be only in cookie and orderfile>> interaction so far.>> Orderfile too?>> Thanks Donovan, that's two scopes we should avoid when using> the standard WebDNA encryption. Too bad though, since I> want to use encrypted cookies for security reasons.>>> PROBABLE CONCLUSION:>> Although Base64 is an encoding method (not an encryption> method) it is the ONLY method that actually works when> trying to obfuscate cookie values.>> Base64 is certainly not secure like an encrypted value might> be, but it is better than nothing I guess. I tested all> methods using cookies with the following results:>> standard webdna encryption --> fails 1/4 of the time> method=CyberCash --> cannot be decrypted> method=APOP --> cannot be decrypted> method=Base64 --> 100% reliable in dozens of tests>>> Sincerely,> Ken Grome> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list
.> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/
Associated Messages, from the most recent to the oldest:
KenTry "hiding" the value inside a longer string and then use getchars to get the true valueI resorted to this technique some time ago when I ended up with problems.StuartOn 27/10/2008, at 10:02 AM, Kenneth Grome wrote:>> sometimes a second decrypt and/or unurl>> is needed.>> A different number of decrypts and encrypts never works, you> must always use the same number of these contexts. A> different number of urls and unurls is definitely necessary> sometimes:>>>> Syntax reminder on variable (straight), and database>> encryption:>> Straight encryption: same amount of [url]'s going in as>> comming out>> Database encryption: one more [url] going in>> than comming out>> Right, thanks for the reminder.>> With the cookies I first tried the same number of urls and> unurls but it was failing, so then I tried using one more> url going in -- because I thought that *maybe* using> cookies is similar to using a database. But this theory> was wrong because an extra url with cookies does not fix> the problem like it does with a database.>>>> Could you please tell us what server you're using?>> My client's Windows server running WebDNA 6.?>>>> I have found the same thing as Ken has, and that it>> is on our list of potential bugs that we are addressing.>> The scope appears to be only in cookie and orderfile>> interaction so far.>> Orderfile too?>> Thanks Donovan, that's two scopes we should avoid when using> the standard WebDNA encryption. Too bad though, since I> want to use encrypted cookies for security reasons.>>> PROBABLE CONCLUSION:>> Although Base64 is an encoding method (not an encryption> method) it is the ONLY method that actually works when> trying to obfuscate cookie values.>> Base64 is certainly not secure like an encrypted value might> be, but it is better than nothing I guess. I tested all> methods using cookies with the following results:>> standard webdna encryption --> fails 1/4 of the time> method=CyberCash --> cannot be decrypted> method=APOP --> cannot be decrypted> method=Base64 --> 100% reliable in dozens of tests>>> Sincerely,> Ken Grome> ---------------------------------------------------------> This message is sent to you because you are subscribed to> the mailing list .> To unsubscribe, E-mail to: > archives: http://mail.webdna.us/list/talk@webdna.us> old archives: http://dev.webdna.us/TalkListArchive/
Stuart Tremain
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
WebCat editing, SiteGuard & SiteEdit (1997)
There's a bug in the math context ... (1997)
Processing all html files through WebCat or Typhoon (1998)
Sending order notification by fax (1999)
Another bug to squash (WebCat2b13 Mac .acgi) (1997)
[WebDNA] Quick sort/results grouping Q (2008)
[append] and SSL (1997)
[defined]ish (1997)
Adding up line items. (2000)
Strange sort in search... (2000)
Calculating Shipping (1997)
WebDNA 5.1 and Mac OS X Server v10.3 - Working ??? (2003)
OT - How to pay commissions to non US affiliates? (2000)
Preserving file creation dates on [copyfile] (2007)
Web Merchant Docs? (2002)
Claris HomePage messes up the code (1997)
block serving .db files (2002)
PDF template hell (2000)
cart info (1998)
form posts expiring instantly... why? (2000)