tags:

views:

81

answers:

3
+1  Q: 

Adding a simple MAC to url parameters ?

I want to add a simple kind of MAC to some of my URL parameters. This is only intended as an additional line of defense against application bugs and caching related problems/bugs, and not intended as any form of replacement of the actual login security in the application. A given business-object-id is already protected by backends to be limited to a single user.

So basically I'd like to add a short authentication code to my url parameters, on the size of 2-4 characters. I think I'd like to have a reversible function along the lines of f(business-data-id + logged-on-user-id + ??) = hash, but I am open to suggestions.

The primary intention is to stop id guessing, and to make sure that url's are fairly distinct per logged on user. I also don't want something big and clunky like an MD5.

A: 

A quick question for which I'm sure there's a good answer for, but why not store this information in a cookie?

Then you could use something big and clunky like MD5 and your URLs would still be pretty.

Dave Webb  2009-03-31 08:20:55
This'd apply to *all* url's with parameters I'm sending from server to client, so there'd be a lot of them. And how would this stop a legitimate user from id-guessing ?
krosenvold  2009-03-31 08:34:56
Sorry I see now. But I'm not sure what extra the Access Code on the URL parameters gives you. If you have authentication and access control on the back end isn't your protection from ID guessing an "Access Denied" message when a user tries to view a resource they're not entitled to see?
Dave Webb  2009-03-31 13:52:39
Extra precaution against caching bugs and similar
krosenvold  2009-03-31 14:48:44
+1  A: 

If what you want is basically MD5 but smaller, why not just use MD5 but just the last 4 characters? This doesn't add a huge blob to your urls, it's always 4 nice hex digits.

Anders Öhrt  2009-04-01 13:23:21
Since no other answer came, this was what I figured too. BIt sceptical about calculating a large checksum and using only a small portion of it, do you think the computational overhead is ok ?
krosenvold  2009-04-01 15:47:12
Calculating MD5 is pretty cheap, but benchmark it to make sure. We used MD5 in a tight loop once, so we benchmarked to be sure and could to thousands per second IIRC.
Anders Öhrt  2009-04-01 20:42:29
+2  A: 
erickson  2009-04-02 21:10:06
"Something" along those lines turned out to be exactly what I did yesterday, but I was still wondering about 32 bit crc's and base64 encoding. CRC24 solves *that* one ;)
krosenvold  2009-04-03 06:05:24

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security