Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

RWT: Cookies

 [1/17] from: maarten::koopmans::surfnet::nl at: 3-Mar-2003 19:41


REBOL [ Title: "Logic to set and get HTTP cookies" ] cookies: context [ data: copy [] url-encode: func [ {Replaces characters that are not allowed in URLs by their url-encoded values.} val [string!] /local illegal-chars lval ] [ lval: copy val illegal-chars: {+%;/?:@= "<>#{}|\^~[]`} foreach char illegal-chars [ replace/all lval char join "%" enbase/base to-string char 16 ] return lval ] url-decode: func [ val [string!] /local illegal-chars lval ] [ lval: copy val illegal-chars: {+%;/?:@= "<>#{}|\^~[]`} foreach char illegal-chars [ replace/all lval join "%" enbase/base to-string char 16 char ] return lval ] to-GMT-idate: func [ "Returns a standard GMT-based Internet date string." date [date!] /local str GMT-date ] [ str: copy {GMT} GMT-date: date - date/zone head insert str reform [ pick ["Mon," "Tue," "Wed," "Thu," "Fri," "Sat," "Sun,"] GMT-date/weekday GMT-date/day pick [ "Jan" "Feb" "Mar" "Apr" "May" "Jun" "Jul" "Aug" "Sep" "Oct" "Nov" "Dec" ] GMT-date/month GMT-date/year GMT-date/time "" ] ] init: func [ {Reads cookies from the HTTP header.} /local cookies rule name val ] [ data: copy [] if cookies: select system/options/cgi/other-headers "HTTP_COOKIE" [ rule: [ copy name to "=" "=" [ copy val to ";" "; " | copy val to end ] (append data reduce [ name url-decode val ])] parse cookies [ any rule ] ] ;write/append %/tmp/log rejoin [ cookies newline ] ] set-cookie: func [ {By default, cookie expires at end of session, path is /, domain is server, and not secure.} name [string!] "The cookie's name" value [string!] "The cookie's value" expires [date! none!] "Date, should also include time" path [string! none!] "Path in which cookie should be returned" domain [string! none!] "Your server or domain" secure [logic! none!] "Return only over secure channels" ] [ prin rejoin [{Set-Cookie:} name {=} url-encode value {; }] all [expires prin rejoin [{expires=} to-GMT-idate expires {; }]] all [path prin rejoin [{path=} path {; }]] all [domain prin rejoin [{domain=} domain {; }]] all [secure prin {secure}] prin {^/} ] get-cookie: func [ {Returns the value of a cookie. Return none if the cookie is not set.} name [string!] {Name of the cookie.} ] [ select data name ] ]

 [2/17] from: petr:krenzelok:trz:cz at: 4-Mar-2003 16:15


Hello Maarten, I would like to see following function getting into your cookies module. You had it included with previous cookie handling version, but now I can't see it. However - I found out Windows timer granularity is not that great and I got two consecutive generate-ID functions generating identical ID. Then I found out, that my assumption of checksum/secure randomizing result was probably wrong. So I added random/secure and I hope now we will really get unique-enough IDs ... of course I would like others to comment, as I am no cryptography guru :-) generate-ID: func [/local t][ t: mold checksum/secure mold now/time/precise random/secure copy/part at t 3 ((length? t) - 3) ] cheers, -pekr-

 [3/17] from: maarten:koopmans:surfnet:nl at: 4-Mar-2003 20:22


1) Add if you like and submit the changes back to me as the GPL requires. 2) I don't feel it belongs there: it has nothing to do with cookies. --Maarten Petr Krenzelok wrote:

 [4/17] from: hallvard:ystad:helpinhand at: 4-Mar-2003 21:52


Very nice. But does it handle HTTP_COOKIE2 ? ~H Dixit Maarten Koopmans (19.41 03.03.2003):

 [5/17] from: petr:krenzelok:trz:cz at: 5-Mar-2003 8:52


Hallvard Ystad wrote:
>Very nice. But does it handle HTTP_COOKIE2 ? >
I found no satisfactory resources for better understanding of what HTTP_COOKIE2 is all about. Could you please post any links or short explanation? Thanks a lot, -pekr-

 [6/17] from: rebol:laurent-chevalier at: 5-Mar-2003 8:24


Hi Petr, I'm using this function to generate unique and secure session ID in my rsp.cgi : build-id: has [ id ][ random/seed join now/precise either config/log-path [ checksum read config/log-path ][ checksum to-string now/precise ] until [ id: make string! (config/session-key-length + 5) loop config/session-key-length [ append id first random ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 ] not exists? to-file rejoin [config/session-dir id ext] ] id ] Note the definition of a unique seed with random/seed to avoid repetition of ID. I'm getting entropy that to checksum read configl/log-path that depends on the users of the service and so can be guess by any hacker. See the code and documentation at http://www.shlik.org/rsp Regards, Laurent Maarten Koopmans wrote:

 [7/17] from: petr:krenzelok:trz:cz at: 5-Mar-2003 11:30


Laurent Chevalier wrote:
> Hi Petr, > I'm using this function to generate unique and secure session ID in my
<<quoted lines omitted: 14>>
> I'm getting entropy that to checksum read configl/log-path that > depends on the users of the service and so can be guess by any hacker.
Are you sure hacker has any chance to guess the sequence? I find your code a bit complicated for understanding do you think: generate-id: func [/local t][ t: mold checksum/secure mold now/time/precise random/secure copy/part at t 3 ((length? t) - 3) ] IIRC in some earlier discussion someone stated that checksum/secure is securely enough ... the only problem I got is - I was able to receive the same now/time/precise values ... maybe of low Windows timer granularity ... so I added random/secure and I can't believe a) someone can guess the mechanism b) I can obtain two identical identifiers which I want to use for login to system ... cheers, -pekr-

 [8/17] from: rebol:laurent-chevalier at: 5-Mar-2003 13:00


Hi Petr, I wrote a bit quickly this morning and I've swallowed some words. I wanted to say that the entropy provided by the config/log-path file ensures that a hacker can not guess the initial seed of the random generator. If you use time and if time is not precise enough, then you may be vulnerable to brute force attacks, but I agree with you the risks are rather low. Moreover, you need to initialize the random generator each time with a different random/seed to avoid always using the same random sequence. IMHO, if you want to keep things simple, I think this would be a bit more secure : random/seed to-string now/precise id: copy "" loop 30 [ append id first random "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ] id Regards, Laurent Petr Krenzelok wrote:
> Laurent Chevalier wrote: >> Hi Petr,
<<quoted lines omitted: 39>>
>> Regards, >> Laurent
-- Laurent http://www.shlik.org

 [9/17] from: cedricg:bluewin:ch at: 5-Mar-2003 13:34


why not : id: copy "" loop 30 [ randow/now to-string now/precise append id first random "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ] ? Le 5.03.2003, Laurent Chevalier a =E9crit :

 [10/17] from: petr:krenzelok:trz:cz at: 5-Mar-2003 13:34


Laurent Chevalier wrote:
> Hi Petr, > I wrote a bit quickly this morning and I've swallowed some words. I
<<quoted lines omitted: 12>>
> loop 30 [ append id first random "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ] > id
OK, thanks - then only one question remains for me - what is random/secure option good for? Maybe it restart randomizer and even does some more things to ensure randomizer is "secure" enough? -pekr-

 [11/17] from: rotenca:telvia:it at: 5-Mar-2003 14:12


Hi,
> Moreover, you need to initialize the random generator each time with a > different random/seed to avoid always using the same random sequence.
<<quoted lines omitted: 4>>
> loop 30 [ append id first random "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ] > id
Perhaps could help: randomize: has [seed] [ seed: now/precise until [seed <> now/precise] random/seed now/precise seed: none ] --- Ciao Romano

 [12/17] from: lmecir:mbox:vol:cz at: 5-Mar-2003 15:00


Hi Pekr,
> OK, thanks - then only one question remains for me - what is > random/secure option good for? Maybe it restart randomizer and even does > some more things to ensure randomizer is "secure" enough?
no, actually there are two different generators: RANDOM and RANDOM/SECURE. They both use the same seed, /SECURE generator is slower, and its quality is higher, i.e. its statistical properties are better. HTH -L

 [13/17] from: g:santilli:tiscalinet:it at: 5-Mar-2003 14:36


Hi Petr, On Wednesday, March 5, 2003, 1:34:47 PM, you wrote: PK> OK, thanks - then only one question remains for me - what is PK> random/secure option good for? Maybe it restart randomizer and even does PK> some more things to ensure randomizer is "secure" enough? RANDOM/SECURE uses a different algorithm to generate the random sequence. The one used by RANDOM/SECURE is "much more random" than the one used by plain RANDOM (which is faster). Regards, Gabriele. -- Gabriele Santilli <[g--santilli--tiscalinet--it]> -- REBOL Programmer Amigan -- AGI L'Aquila -- REB: http://web.tiscali.it/rebol/index.r

 [14/17] from: hallvard:ystad:helpinhand at: 9-Mar-2003 13:20


Hi Maarten, Don't you think, within your cookies context, that illegal-chars: {+%;/?:@= "<>#{}|\^~[]`} should really be illegal-chars: {%+;/?:@= "<>#{}|\^~[]`} So that a '+' won't be encoded as '%252B'? ~H

 [15/17] from: maarten:koopmans:surfnet:nl at: 11-Mar-2003 8:23


You may be right, have you tried it? --Maarten Hallvard Ystad wrote:

 [16/17] from: hallvard:ystad:helpinhand at: 11-Mar-2003 14:37


Yes, and I had to do the change for it to wrok properly. ~H Dixit Maarten Koopmans <[maarten--koopmans--surfnet--nl]> (Tue, 11 Mar 2003 08:23:25 +0100):

 [17/17] from: maarten:koopmans:surfnet:nl at: 11-Mar-2003 16:26


Thanks for supplying the patch then ;-) --Maarten Hallvard Ystad wrote:

Notes
  • Quoted lines have been omitted from some messages.
    View the message alone to see the lines that have been omitted