helios_lie
new
Posts: 1
|
 |
« on: October 15, 2007, 11:25:30 am » |
|
Hi, I want to ask about this piece of code that is used to protect the content of some quotations inside a website. The quotations will only change once in a day, depending on the cookie on the client's browser. $ct is the counter for the quotations.
If we change the $ct and $date from the cookie, it will be checked from the cookie storing the md5 hash of $ct.$date.$password. If it doesnot match, the cookie will be reset back to 0 again. Is this implementation secure enough?
//Do the cookie stuff
$ct = isset($_COOKIE['ct']) ? $_COOKIE['ct'] : 0;
$date = isset($_COOKIE['date']) ? $_COOKIE['date'] : date('Ymd');
if(isset($_COOKIE['hash']) && $_COOKIE['hash'] == md5($ct.$date.$password)) {
if($date < date('Ymd')) {
$ct++;
if($ct >= count($thoughts)) $ct = count($thoughts)-1;
$date = date('Ymd');
}
}
else {
$ct = 0;
$date = date('Ymd');
}
setcookie("hash", md5($ct.$date.$password), time()+$cookielife);
setcookie("ct", $ct, time()+$cookielife);
setcookie("date", $date, time()+$cookielife);
The whole code is from *ttp://www.unoriginal.org/thoughts/thought.php?action=source
|
|
|
|
|
|
|
|
Defcon 5
|
|
« Reply #1 on: October 16, 2007, 01:53:11 am » |
|
I'm not a fan of storing passwords in cookies at all, you could generate a temporary password and place that in their cookies and your database.
|
|
|
|
|
|
Darksat
|
|
« Reply #2 on: October 23, 2007, 05:35:28 pm » |
|
I dont see any reason for the password to be called at all.
This is a stupid script.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
