Visit tracking is insecure
0 views
Skip to first unread message
Egor Cheshkov
Jan 12, 2006, 6:32:46 PM1/12/06
to TurboGears
Hello!
Since visit tracking hash is based only on current timestamp, it can be easyly guessed. We should use something more random to generate visit cookie hash, for example:
visit_key= sha.new(" ".join(str(time.time ()), str(random.random()), cherrypy.request.remoteAddr)).hexdigest()
Egor.
Since visit tracking hash is based only on current timestamp, it can be easyly guessed. We should use something more random to generate visit cookie hash, for example:
visit_key= sha.new(" ".join(str(time.time ()), str(random.random()), cherrypy.request.remoteAddr)).hexdigest()
Egor.
Reply all
Reply to author
Forward
0 new messages