Geeks With Blogs

Scott Kuhl Warning: I may have no idea what I am talking about!

Scott Mitchell addresses a potential “hole” in last weeks 4GuysFromRolla article on Passing Tamper-Proof QueryString Parameters.  By creating expiring web pages you can prevent replay attacks.

The problem with the tamper-proof querystring parameter values approach I shared last week was that the tamper-proof check does not do any sort of expiration check. That means once a URL has been created it is good forever. To see where this can cause problems, imagine that we are using this technique to pass authentication information from one website (Site A) to a partner website (Site B). Specifically, Site A sends to Site B a querystring that looks like: ?UserName=username&Digest=HashOfUsernameAlongWithSecretSalt. Both websites will have to agree upon the secret salt and share that with one another, but as long as the end user is not privy to this knowledge, they cannot craft their own, valid authenticating querystring parameters. If end user Sally clicks from Site A onto Site B, she'll see the UserName parameter in the querystring. However, if she tries to alter it, changing it from "Sally" to, say, "Maria", the receiving page's digest check will fail.

The problem of replay attacks remains, however. If Sally bookmarks the link from Site A to Site B, and her evil coworker Theo finds this bookmark, Theo can then visit Site B authenticated as Sally. Theo can do this days, weeeks, or months after Sally last visits Site B. What we'd like to do, is make that link from Site A to Site B only "active" for a short period of time, say 60 seconds. That way, even if Sally bookmarks the link directly from Site A to Site B, if she - or anyone else - visits that link more than 60 seconds after the link was created, they'll get an error on Site B, saying that the link has expired.

Posted on Thursday, September 8, 2005 8:41 AM ASP.NET | Back to top

Comments on this post: Creating Expiring Web Pages

No comments posted yet.
Your comment:
 (will show your gravatar)

Copyright © Scott Kuhl | Powered by: