RE: [WebDNA] Encode cookies ONLY via "method=Base64"
This WebDNA talk-list message is from 2008
It keeps the original formatting.
numero = 101273
interpreted = N
texte = I ran your example like this[math =show=3Df]cookiein=3D(1234567890123456789012345678901234567890*533000389)/=125[/math][math show=3Df]cookieout=3D(125*cookiein)/533000389[/math]cookiein =3D [cookiein]
cookieout =3D [cookieout]
And got thiscookiein =3D 5.26420132546169e+045cookieout =3D 1.23456789012346e+039It seems that this type of method may be subject to fail due to small =rounding errors when large numbers are converted to/from scientific =notation. For example try opening a database with ==E2=80=9Ccarts=E2=80=9D in Excel. Often I get very small errors like the =last digit changed up or down by one. I never dug into that but I am =assuming Excel sees the =E2=80=9Clarge=E2=80=9D number and internally =does some conversions which ultimately modifies the number. It =doesn=E2=80=99t happen all of the time, but consistently enough that I =stopped using Excel to manage the db files.Any other ideas on implemented this technique? This sounds like a great =way to store encrypted cookies!However, just a note that you still need to watch out for people pasting =in cookie stealing code like this =http://jehiah.cz/archive/xss-stealing-cookies-101. Once stolen, they may =be able to set their cookies to the values stolen and get access.Thanks! Olin=3D=3D=3DFrom: Psi Prime, Matthew A Perosi [mailto:matt@psiprime.com]=20Sent: Sunday, October 26, 2008 11:43 PMTo: talk@webdna.usSubject: Re: [WebDNA] Encode cookies ONLY via "method=3DBase64"wowThat sounds like a lot of overhead.I bet the algebra would be a lot faster. You would still need your =initial db to hold your custom ascii table though.Assuming you were only using 26+10=3D36 characters, you could create a =custom ascii table using 2 digits for each character. Then lets assume =you have a 10 character username and a 10 character password. 20 =characters total would convert to a string that is 40 digits long. You =could use 3 digits in your ascii table to make it longer, the numbers =don't have to be sequential either.Once you have a 40 digit long number you could do something like this[math]cookiein=3D([40digits]*533000389)/125[/math]That number gets sent as the cookie using [setcookie =name=3Dfred&value=3D[cookiein]]Then to decode it you would use [math]cookieout=3D[getcookie =fred][/math][math]40digits=3D(125*[cookieout])/533000389[/math]At this point you could use a [loop] and a [getchars] to parse back =through the 40 digit string and reverse decode through your ascii table.The security here all lies in the prime number. The only way to decode =the username and password would be to know the number. Since it still =takes a supercomputer to actually find prime numbers you are IMHO not =likely to come across a hacker with a supercomputer that will be wasting =his time trying to hack a website.
Associated Messages, from the most recent to the oldest:
I ran your example like this[math =show=3Df]cookiein=3D(1234567890123456789012345678901234567890*533000389)/=125[/math][math show=3Df]cookieout=3D(125*cookiein)/533000389[/math]cookiein =3D [cookiein]
cookieout =3D [cookieout]
And got thiscookiein =3D 5.26420132546169e+045cookieout =3D 1.23456789012346e+039It seems that this type of method may be subject to fail due to small =rounding errors when large numbers are converted to/from scientific =notation. For example try opening a database with ==E2=80=9Ccarts=E2=80=9D in Excel. Often I get very small errors like the =last digit changed up or down by one. I never dug into that but I am =assuming Excel sees the =E2=80=9Clarge=E2=80=9D number and internally =does some conversions which ultimately modifies the number. It =doesn=E2=80=99t happen all of the time, but consistently enough that I =stopped using Excel to manage the db files.Any other ideas on implemented this technique? This sounds like a great =way to store encrypted cookies!However, just a note that you still need to watch out for people pasting =in cookie stealing code like this =http://jehiah.cz/archive/xss-stealing-cookies-101. Once stolen, they may =be able to set their cookies to the values stolen and get access.Thanks! Olin=3D=3D=3DFrom: Psi Prime, Matthew A Perosi [mailto:matt@psiprime.com]=20Sent: Sunday, October 26, 2008 11:43 PMTo: talk@webdna.usSubject: Re: [WebDNA] Encode cookies ONLY via "method=3DBase64"wowThat sounds like a lot of overhead.I bet the algebra would be a lot faster. You would still need your =initial db to hold your custom ascii table though.Assuming you were only using 26+10=3D36 characters, you could create a =custom ascii table using 2 digits for each character. Then lets assume =you have a 10 character username and a 10 character password. 20 =characters total would convert to a string that is 40 digits long. You =could use 3 digits in your ascii table to make it longer, the numbers =don't have to be sequential either.Once you have a 40 digit long number you could do something like this
[math]cookiein=3D([40digits]*533000389)/125[/math]That number gets sent as the cookie using [setcookie =name=3Dfred&value=3D[cookiein]]Then to decode it you would use
[math]cookieout=3D[getcookie =fred][/math]
[math]40digits=3D(125*[cookieout])/533000389[/math]At this point you could use a
[loop] and a
[getchars] to parse back =through the 40 digit string and reverse decode through your ascii table.The security here all lies in the prime number. The only way to decode =the username and password would be to know the number. Since it still =takes a supercomputer to actually find prime numbers you are IMHO not =likely to come across a hacker with a supercomputer that will be wasting =his time trying to hack a website.
"Olin Lagon"
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
setitems, one more thing (1997)
Shopping Cart ID (1998)
Free shipping (2000)
Max Record length restated as maybe bug (1997)
autocommit problem (1998)
Plugin or CGI or both (1997)
[WebDNA] [WSC] WebDNA Development Summit (2014)
Re1000002: Setting up shop (1997)
[cart] clarification... (1997)
Showif, Hideif reverse logic ? (1997)
webcat 2.1 new cart fields - please explain more (1998)
PDF Tools (2006)
totals (1997)
Help! WebCat2 bug (1997)
[shell] (2003)
Plugin or CGI or both (1997)
Re:webCatalog and Stocks (1998)
Nested tags count question (1997)
Accepting credit cards (1997)
Text data with spaces in them... (1997)