Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

vanilla forum cookie content denote what

echo $_COOKIE[$CookieName];
results '1-1369340879|74c5d8e6a60743f1df88e85cccc594a0|1366748879|1|1369340879'

each value denote what???
thanks for your replay.......

Comments

  • Options

    1 is userid
    i think 74c5d8e6a60743f1df88e85cccc594a0 is hash
    rest of them ???????

  • Options
    x00x00 MVP
    edited December 2013

    UserID-Expiration|HMAC|Timestamp|UserID|Expiration

    http://en.wikipedia.org/wiki/Hash-based_message_authentication_code

    So explain it better in Gdn_CookieIdentity::SetCookie in adds

    KeyData|HMAC|Timstamp and appends any cookie contents to the end delimited by pipe. SetIdentity is only one possible use of SetCookie, and in that case it supplies virtually the same for the KeyData as the CookieContent

    The hash is salted an you can change the primary hash algorithm (md5 or sha1).

    grep is your friend.

  • Options

    The data that is verified by HMAC is the KeyData. So in other word not only is the cookie authenticated by hash, it verifies that the associated KeyData is correct and hasn't been tampered.

    grep is your friend.

  • Options

    thank you** x00 ** for your valuable reply

  • Options

    function _Hash($Data, $CookieHashMethod, $CookieSalt) what is $Data ???
    $Data is the data to place in the hash, means what????
    Is this the $KeyData???

  • Options
    x00x00 MVP
    edited December 2013

    If you read

    http://en.wikipedia.org/wiki/Hash-based_message_authentication_code

    Data is the message. In this case message is KeyData (UserID-Expiration), but could be anything.

    That function is just a wrapper, as to not confuse generating the key, to generating the final hash. So in the second pass you supply the generated key as the salt ( not the saved salt)

    grep is your friend.

  • Options

    got it thank you very much x00

Sign In or Register to comment.