RE: [WebDNA] Encode cookies ONLY via "method=Base64"
This WebDNA talk-list message is from 2008
It keeps the original formatting.
numero = 101273
interpreted = N
texte = I ran your example like this[math =show=3Df]cookiein=3D(1234567890123456789012345678901234567890*533000389)/=125[/math][math show=3Df]cookieout=3D(125*cookiein)/533000389[/math]cookiein =3D [cookiein]
cookieout =3D [cookieout]
And got thiscookiein =3D 5.26420132546169e+045cookieout =3D 1.23456789012346e+039It seems that this type of method may be subject to fail due to small =rounding errors when large numbers are converted to/from scientific =notation. For example try opening a database with ==E2=80=9Ccarts=E2=80=9D in Excel. Often I get very small errors like the =last digit changed up or down by one. I never dug into that but I am =assuming Excel sees the =E2=80=9Clarge=E2=80=9D number and internally =does some conversions which ultimately modifies the number. It =doesn=E2=80=99t happen all of the time, but consistently enough that I =stopped using Excel to manage the db files.Any other ideas on implemented this technique? This sounds like a great =way to store encrypted cookies!However, just a note that you still need to watch out for people pasting =in cookie stealing code like this =http://jehiah.cz/archive/xss-stealing-cookies-101. Once stolen, they may =be able to set their cookies to the values stolen and get access.Thanks! Olin=3D=3D=3DFrom: Psi Prime, Matthew A Perosi [mailto:matt@psiprime.com]=20Sent: Sunday, October 26, 2008 11:43 PMTo: talk@webdna.usSubject: Re: [WebDNA] Encode cookies ONLY via "method=3DBase64"wowThat sounds like a lot of overhead.I bet the algebra would be a lot faster. You would still need your =initial db to hold your custom ascii table though.Assuming you were only using 26+10=3D36 characters, you could create a =custom ascii table using 2 digits for each character. Then lets assume =you have a 10 character username and a 10 character password. 20 =characters total would convert to a string that is 40 digits long. You =could use 3 digits in your ascii table to make it longer, the numbers =don't have to be sequential either.Once you have a 40 digit long number you could do something like this[math]cookiein=3D([40digits]*533000389)/125[/math]That number gets sent as the cookie using [setcookie =name=3Dfred&value=3D[cookiein]]Then to decode it you would use [math]cookieout=3D[getcookie =fred][/math][math]40digits=3D(125*[cookieout])/533000389[/math]At this point you could use a [loop] and a [getchars] to parse back =through the 40 digit string and reverse decode through your ascii table.The security here all lies in the prime number. The only way to decode =the username and password would be to know the number. Since it still =takes a supercomputer to actually find prime numbers you are IMHO not =likely to come across a hacker with a supercomputer that will be wasting =his time trying to hack a website.
Associated Messages, from the most recent to the oldest:
I ran your example like this[math =show=3Df]cookiein=3D(1234567890123456789012345678901234567890*533000389)/=125[/math][math show=3Df]cookieout=3D(125*cookiein)/533000389[/math]cookiein =3D [cookiein]
cookieout =3D [cookieout]
And got thiscookiein =3D 5.26420132546169e+045cookieout =3D 1.23456789012346e+039It seems that this type of method may be subject to fail due to small =rounding errors when large numbers are converted to/from scientific =notation. For example try opening a database with ==E2=80=9Ccarts=E2=80=9D in Excel. Often I get very small errors like the =last digit changed up or down by one. I never dug into that but I am =assuming Excel sees the =E2=80=9Clarge=E2=80=9D number and internally =does some conversions which ultimately modifies the number. It =doesn=E2=80=99t happen all of the time, but consistently enough that I =stopped using Excel to manage the db files.Any other ideas on implemented this technique? This sounds like a great =way to store encrypted cookies!However, just a note that you still need to watch out for people pasting =in cookie stealing code like this =http://jehiah.cz/archive/xss-stealing-cookies-101. Once stolen, they may =be able to set their cookies to the values stolen and get access.Thanks! Olin=3D=3D=3DFrom: Psi Prime, Matthew A Perosi [mailto:matt@psiprime.com]=20Sent: Sunday, October 26, 2008 11:43 PMTo: talk@webdna.usSubject: Re: [WebDNA] Encode cookies ONLY via "method=3DBase64"wowThat sounds like a lot of overhead.I bet the algebra would be a lot faster. You would still need your =initial db to hold your custom ascii table though.Assuming you were only using 26+10=3D36 characters, you could create a =custom ascii table using 2 digits for each character. Then lets assume =you have a 10 character username and a 10 character password. 20 =characters total would convert to a string that is 40 digits long. You =could use 3 digits in your ascii table to make it longer, the numbers =don't have to be sequential either.Once you have a 40 digit long number you could do something like this
[math]cookiein=3D([40digits]*533000389)/125[/math]That number gets sent as the cookie using [setcookie =name=3Dfred&value=3D[cookiein]]Then to decode it you would use
[math]cookieout=3D[getcookie =fred][/math]
[math]40digits=3D(125*[cookieout])/533000389[/math]At this point you could use a
[loop] and a
[getchars] to parse back =through the 40 digit string and reverse decode through your ascii table.The security here all lies in the prime number. The only way to decode =the username and password would be to know the number. Since it still =takes a supercomputer to actually find prime numbers you are IMHO not =likely to come across a hacker with a supercomputer that will be wasting =his time trying to hack a website.
"Olin Lagon"
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Formatting time output (2000)
WCS Newbie question (1997)
Multiple fields on 1 input (1997)
RE: E-mailer error codes (1997)
Javascript and Search Results (1998)
WebCat2b15MacPlugin - showing [math] (1997)
WebCatalog-NT?'s (1996)
simple [convertChars] Q (2000)
suggestion (1997)
item sorting (1997)
WebDelivery downloads alias, not original ? (1997)
# fields limited? (1997)
and vs or vs not (1998)
foreign languages, email, webcat (1998)
[WebDNA] Successful, working WebDNA7/CentOS install? (2013)
[OT] Passing a WebDNA variable through flash (2004)
FAX solutions? (FaxBee) (2001)
WebDNA 4.5.1 Now Available (2003)
WebCat2 beta 11 - new prefs ... (1997)
Help! WebCat2 bug (1997)