Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Provide utility nonce functions for plugin framework #1202

Closed
robocoder opened this Issue · 3 comments

1 participant

@robocoder
Collaborator

getNonce(), verifyNonce()

  • use Zend_Session_Namespace() to store session-dependent nonce, and use its built-in capabaility to expire entries
  • a criticism of some implementations is the reliance on a predictable input to the hash function (e.g., time() or non-private constants, e.g., user name) and/or low entropy (e.g., a single pseudo-random number generated value)
  • a more robust defense should incorporate referrer checking
@robocoder
Collaborator

(In [1915]) refs #1202 - example of using nonce

@robocoder
Collaborator

[1914] fixes #1202 - provide utility nonce functions for plugin framework

@robocoder
Collaborator

(In [1919]) refs #1202 - add comments and tweak algorithm

@robocoder robocoder added this to the Piwik 0.5.5 milestone
@robocoder robocoder self-assigned this
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.