Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#1202 closed New feature (fixed)

Provide utility nonce functions for plugin framework

Reported by: vipsoft Owned by: vipsoft
Priority: normal Milestone: Piwik 0.5.5
Component: Core Keywords:
Cc: Sensitive: no

Description

getNonce(), verifyNonce()

  • use Zend_Session_Namespace() to store session-dependent nonce, and use its built-in capabaility to expire entries
  • a criticism of some implementations is the reliance on a predictable input to the hash function (e.g., time() or non-private constants, e.g., user name) and/or low entropy (e.g., a single pseudo-random number generated value)
  • a more robust defense should incorporate referrer checking

Change History (3)

comment:1 Changed 4 years ago by vipsoft (robocoder)

(In [1915]) refs #1202 - example of using nonce

comment:2 Changed 4 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from new to closed

[1914] fixes #1202 - provide utility nonce functions for plugin framework

comment:3 Changed 4 years ago by vipsoft (robocoder)

(In [1919]) refs #1202 - add comments and tweak algorithm

Note: See TracTickets for help on using tickets.