Provide utility nonce functions for plugin framework #1202

Closed
robocoder opened this Issue Mar 13, 2010 · 3 comments

1 participant

@robocoder

getNonce(), verifyNonce()

  • use Zend_Session_Namespace() to store session-dependent nonce, and use its built-in capabaility to expire entries
  • a criticism of some implementations is the reliance on a predictable input to the hash function (e.g., time() or non-private constants, e.g., user name) and/or low entropy (e.g., a single pseudo-random number generated value)
  • a more robust defense should incorporate referrer checking
@robocoder

(In [1915]) refs #1202 - example of using nonce

@robocoder

[1914] fixes #1202 - provide utility nonce functions for plugin framework

@robocoder

(In [1919]) refs #1202 - add comments and tweak algorithm

@robocoder robocoder added this to the Piwik 0.5.5 milestone Jul 8, 2014
@robocoder robocoder self-assigned this Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment