RE: [WebDNA] Encode cookies ONLY via "method=Base64"

This WebDNA talk-list message is from

2008


It keeps the original formatting.
numero = 101273
interpreted = N
texte = I ran your example like this [math = show=3Df]cookiein=3D(1234567890123456789012345678901234567890*533000389)/= 125[/math] [math show=3Df]cookieout=3D(125*cookiein)/533000389[/math] cookiein =3D [cookiein]
cookieout =3D [cookieout]
And got this cookiein =3D 5.26420132546169e+045 cookieout =3D 1.23456789012346e+039 It seems that this type of method may be subject to fail due to small = rounding errors when large numbers are converted to/from scientific = notation. For example try opening a database with = =E2=80=9Ccarts=E2=80=9D in Excel. Often I get very small errors like the = last digit changed up or down by one. I never dug into that but I am = assuming Excel sees the =E2=80=9Clarge=E2=80=9D number and internally = does some conversions which ultimately modifies the number. It = doesn=E2=80=99t happen all of the time, but consistently enough that I = stopped using Excel to manage the db files. Any other ideas on implemented this technique? This sounds like a great = way to store encrypted cookies! However, just a note that you still need to watch out for people pasting = in cookie stealing code like this = http://jehiah.cz/archive/xss-stealing-cookies-101. Once stolen, they may = be able to set their cookies to the values stolen and get access. Thanks! Olin =3D=3D=3D From: Psi Prime, Matthew A Perosi [mailto:matt@psiprime.com]=20 Sent: Sunday, October 26, 2008 11:43 PM To: talk@webdna.us Subject: Re: [WebDNA] Encode cookies ONLY via "method=3DBase64" wow That sounds like a lot of overhead. I bet the algebra would be a lot faster. You would still need your = initial db to hold your custom ascii table though. Assuming you were only using 26+10=3D36 characters, you could create a = custom ascii table using 2 digits for each character. Then lets assume = you have a 10 character username and a 10 character password. 20 = characters total would convert to a string that is 40 digits long. You = could use 3 digits in your ascii table to make it longer, the numbers = don't have to be sequential either. Once you have a 40 digit long number you could do something like this [math]cookiein=3D([40digits]*533000389)/125[/math] That number gets sent as the cookie using [setcookie = name=3Dfred&value=3D[cookiein]] Then to decode it you would use [math]cookieout=3D[getcookie = fred][/math] [math]40digits=3D(125*[cookieout])/533000389[/math] At this point you could use a [loop] and a [getchars] to parse back = through the 40 digit string and reverse decode through your ascii table. The security here all lies in the prime number. The only way to decode = the username and password would be to know the number. Since it still = takes a supercomputer to actually find prime numbers you are IMHO not = likely to come across a hacker with a supercomputer that will be wasting = his time trying to hack a website. Associated Messages, from the most recent to the oldest:

    
  1. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Stuart Tremain 2012)
  2. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Brian Fries 2012)
  3. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime Inc, Matthew A Perosi " 2012)
  4. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Govinda 2012)
  5. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Stuart Tremain 2012)
  6. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  7. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  8. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  9. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  10. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  11. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  12. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  13. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  14. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Gary Krockover" 2008)
  15. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  16. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  17. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Marc Thompson 2008)
  18. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Bob Minor 2008)
  19. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Brian Fries 2008)
  20. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Marc Thompson 2008)
  21. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Patrick McCormick 2008)
  22. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  23. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Brian Fries 2008)
  24. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Christer Olsson 2008)
  25. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  26. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Donovan Brooke 2008)
  27. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  28. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  29. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  30. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  31. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  32. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime, Matthew A Perosi " 2008)
  33. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Stuart Tremain 2008)
  34. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Bob Minor 2008)
  35. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  36. RE: [WebDNA] Encode cookies ONLY via "method=Base64" ("Olin Lagon" 2008)
  37. RE: [WebDNA] Encode cookies ONLY via "method=Base64" ("Olin Lagon" 2008)
  38. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime, Matthew A Perosi " 2008)
  39. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  40. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime, Matthew A Perosi " 2008)
  41. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  42. Re: [WebDNA] Encode cookies ONLY via "method=Base64" ("Psi Prime, Matthew A Perosi " 2008)
  43. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Kenneth Grome 2008)
  44. Re: [WebDNA] Encode cookies ONLY via "method=Base64" (Stuart Tremain 2008)
I ran your example like this [math = show=3Df]cookiein=3D(1234567890123456789012345678901234567890*533000389)/= 125[/math] [math show=3Df]cookieout=3D(125*cookiein)/533000389[/math] cookiein =3D [cookiein]
cookieout =3D [cookieout]
And got this cookiein =3D 5.26420132546169e+045 cookieout =3D 1.23456789012346e+039 It seems that this type of method may be subject to fail due to small = rounding errors when large numbers are converted to/from scientific = notation. For example try opening a database with = =E2=80=9Ccarts=E2=80=9D in Excel. Often I get very small errors like the = last digit changed up or down by one. I never dug into that but I am = assuming Excel sees the =E2=80=9Clarge=E2=80=9D number and internally = does some conversions which ultimately modifies the number. It = doesn=E2=80=99t happen all of the time, but consistently enough that I = stopped using Excel to manage the db files. Any other ideas on implemented this technique? This sounds like a great = way to store encrypted cookies! However, just a note that you still need to watch out for people pasting = in cookie stealing code like this = http://jehiah.cz/archive/xss-stealing-cookies-101. Once stolen, they may = be able to set their cookies to the values stolen and get access. Thanks! Olin =3D=3D=3D From: Psi Prime, Matthew A Perosi [mailto:matt@psiprime.com]=20 Sent: Sunday, October 26, 2008 11:43 PM To: talk@webdna.us Subject: Re: [WebDNA] Encode cookies ONLY via "method=3DBase64" wow That sounds like a lot of overhead. I bet the algebra would be a lot faster. You would still need your = initial db to hold your custom ascii table though. Assuming you were only using 26+10=3D36 characters, you could create a = custom ascii table using 2 digits for each character. Then lets assume = you have a 10 character username and a 10 character password. 20 = characters total would convert to a string that is 40 digits long. You = could use 3 digits in your ascii table to make it longer, the numbers = don't have to be sequential either. Once you have a 40 digit long number you could do something like this [math]cookiein=3D([40digits]*533000389)/125[/math] That number gets sent as the cookie using [setcookie = name=3Dfred&value=3D[cookiein]] Then to decode it you would use [math]cookieout=3D[getcookie = fred][/math] [math]40digits=3D(125*[cookieout])/533000389[/math] At this point you could use a [loop] and a [getchars] to parse back = through the 40 digit string and reverse decode through your ascii table. The security here all lies in the prime number. The only way to decode = the username and password would be to know the number. Since it still = takes a supercomputer to actually find prime numbers you are IMHO not = likely to come across a hacker with a supercomputer that will be wasting = his time trying to hack a website. "Olin Lagon"

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Checking for WebCatalog Version (2000) [WebDNA] Circumnavigate Browser Timeout On Lengthy WebDNA Operations (2014) Include vs. lookup? (1998) Getting Emailer to send mail (1997) Re:Emailer and encryption (1997) Updating a database once per day - An example (1998) Bug or syntax error on my part? (1997) Webten + Webcat running smooth (1998) [WebDNA] MD5 encryption (2011) Again: tcpconnect problem with authorize.net (2003) Still Stumped on ShowNext...HELP! (1997) Integration? (1999) Emailer setup (1997) Web Catalog 2 demo (1997) For those of you not on the WebCatalog Beta... (1997) No luck with taxes (1997) (1997) Kill the webcat process (2000) WebCat2b13MacPlugIn - More limits on [include] (1997) [OT] HTML Table Cell Problem (2003)