Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Provide utility nonce functions for plugin framework #1202

Closed
robocoder opened this Issue · 3 comments

1 participant

Anthon Pang
Anthon Pang
Collaborator

getNonce(), verifyNonce()

  • use Zend_Session_Namespace() to store session-dependent nonce, and use its built-in capabaility to expire entries
  • a criticism of some implementations is the reliance on a predictable input to the hash function (e.g., time() or non-private constants, e.g., user name) and/or low entropy (e.g., a single pseudo-random number generated value)
  • a more robust defense should incorporate referrer checking
Anthon Pang
Collaborator

(In [1915]) refs #1202 - example of using nonce

Anthon Pang
Collaborator

[1914] fixes #1202 - provide utility nonce functions for plugin framework

Anthon Pang
Collaborator

(In [1919]) refs #1202 - add comments and tweak algorithm

Anthon Pang robocoder added this to the Piwik 0.5.5 milestone
Anthon Pang robocoder self-assigned this
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.