[nycphp-talk] Tamperproof URLs and PHP slides posted
Nick Galbreath
nickg at modp.com
Wed Dec 12 12:44:07 EST 2007
Aha! Good point.
So there are a few ways you can do this. But i think the simplest is just
to record the username (perhaps the ip), and highscore and time stamp. Then
when a new message comes in check the db to see if this user's timestamp is
close to now. If so, reject.
More complicated ways are having the client send the timestamp and use it in
your hmac/hash thing. If their timestamp is old then they are replaying and
you can just reject it.
Or some combination of the both. Without know your product & operations
better it's hard to say, but something like this should get your started.
have fun!
--nickg
On 12/12/07, John Campbell <jcampbell1 at gmail.com> wrote:
>
> Thanks Nick,
>
> I'll take some measures to obfuscate the "secret", but I just realized
> I have another potential hole. There is nothing to prevent someone
> from actually getting a high score, then replaying the request to get
> all of the top positions. I suppose the solution is to have the
> server create a random string, save it on the server, send it to the
> client, and use the token as anonther element of the checksum. Then
> once the score is saved, the token is deleted from the server. I
> think that will work, but now I am starting to feel sorry for the next
> guy that has to figure out what the hell the my code is doing. :)
>
> Cheers,
> John Campbell
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20071212/964c9523/attachment.html>
More information about the talk
mailing list