mobwrite.idPrefix = ?
8 views
Skip to first unread message
tom
Jul 16, 2010, 3:17:12 AM7/16/10
to MobWrite
Hello, how is everyone programmaticly creating idPrefix? I am working
on a drupal module for mobwrite and just trying to brainstorm some
ideas.
If I had a random number for each website with the module concatenated
with the form's relative path, I would be fairly safe using a common
gateway, but I was wonder of the possibility of someone getting that
random number and then being able to bypass permissions.
thanks, tom
on a drupal module for mobwrite and just trying to brainstorm some
ideas.
If I had a random number for each website with the module concatenated
with the form's relative path, I would be fairly safe using a common
gateway, but I was wonder of the possibility of someone getting that
random number and then being able to bypass permissions.
thanks, tom
Neil Fraser
Jul 16, 2010, 12:10:44 PM7/16/10
to MobWrite
human readable, so if that's not a use-case for you then drop the 0/o,
1/l and tailing dash reductions:
/**
* Return a random id that's 9 letters long.
* 24*(24+8+1)^7*(24+8) = 32,730,964,206,336
* @return {string} Random id.
*/
function uniqueId() {
// First character must be a letter (W3 spec for ID).
// Drop 0/o and 1/l since they are visually ambiguous.
var soup = 'abcdefghijkmnpqrstuvwxyz';
var id = soup.charAt(Math.random() * soup.length);
// Subsequent characters may include these.
soup += '23456789-';
for (var x = 1; x < 9; x++) {
id += soup.charAt(Math.random() * soup.length);
}
if (id.indexOf('--') != -1) {
// Don't allow IDs with '--' in them since it might close a
comment.
id = uniqueId();
} else if (id.charAt(id.length - 1) == '-') {
// A dash at the end looks weird.
id = uniqueId();
}
return id;
}
The result is 32,730,964,206,336 permutations. Let's assume that an
attacker can hit the server 100 times per second. That would mean he
could brute-force the entire space in 10,379 years. Is this good
enough for you? :)
tom
Jul 16, 2010, 12:17:28 PM7/16/10
to MobWrite
Thanks for the example!
I was thinking the the random number wouldn't be brute forced, but
that that it could be observed. Perhaps this is not the case, I do not
understand enough about web development security.
Where as, having something that was per session rather than per site
would make it somewhat like alternating keys, if it was observed it
would only be for that particular instance.
Sounds like maybe I am seeing a problem that doesn't really exist?
I was thinking the the random number wouldn't be brute forced, but
that that it could be observed. Perhaps this is not the case, I do not
understand enough about web development security.
Where as, having something that was per session rather than per site
would make it somewhat like alternating keys, if it was observed it
would only be for that particular instance.
Sounds like maybe I am seeing a problem that doesn't really exist?
Neil Fraser
Jul 16, 2010, 12:27:10 PM7/16/10
to MobWrite
the ID to people who should have access, then you are safe. Note that
a user could look at the ID and pass it on to someone else, but that
situation is unavoidable in any system since it's like giving someone
else your username and password. It is also worth noting that one
limitation of MobWrite is that there is no way to remove a user from a
session once they are in -- other than changing the code for everyone
else.
Reply all
Reply to author
Forward
0 new messages