Skip to content


Provide utility nonce functions for plugin framework #1202

robocoder opened this Issue · 3 comments

1 participant


getNonce(), verifyNonce()

  • use Zend_Session_Namespace() to store session-dependent nonce, and use its built-in capabaility to expire entries
  • a criticism of some implementations is the reliance on a predictable input to the hash function (e.g., time() or non-private constants, e.g., user name) and/or low entropy (e.g., a single pseudo-random number generated value)
  • a more robust defense should incorporate referrer checking

(In [1915]) refs #1202 - example of using nonce


[1914] fixes #1202 - provide utility nonce functions for plugin framework


(In [1919]) refs #1202 - add comments and tweak algorithm

@robocoder robocoder added this to the Piwik 0.5.5 milestone
@robocoder robocoder self-assigned this
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.