chiark / gitweb /
~ian / cgi-auth-flexible.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: bde070b) | patch
blinding: Blind cookies and hidden form param
authorIan Jackson <ijackson@chiark.greenend.org.uk>
Sun, 25 Oct 2015 13:37:15 +0000 (13:37 +0000)
committerIan Jackson <ijackson@chiark.greenend.org.uk>
Sun, 25 Oct 2015 13:37:15 +0000 (13:37 +0000)
commit2342dbc87d04a5be0f80e096928696e04eac26bd
tree2ab83bf3714d8c92cb09b02748c9f46e0126c74btree | snapshot
parentbde070bdfcddb54a716ab7a1d09c648dc7ec7c7fcommit | diff
blinding: Blind cookies and hidden form param

Each time we generate a cookie or a hidden form parameter, generate
some random hex digits and xor them with the hex digits in the cookie
or parameter value.

Our cookies contain decimal digits, and punctuation, too.  The decimal
digits are simply blinded the same way (which is fine) and the
punctuation is left alone.  It's the actual values we care about.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
cgi-auth-flexible.pm diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.