'Lo, kids! I've got another algorithm I want to idiot check. This one's a way of ensuring that a bunch of data passed in a form can't be tampered with easily.

Ok. Say you're pulling some bunch of data in response to a search from some external source. Some of this data includes things like prices, discounts, and the like. It's not important that this information is invisible to a potential (malicious or otherwise) user, but it's important that it can't be tampered with. Because there's no easy way for the receiving page to validate the data, we need to mark it somehow.

A checksum is out of the question: too easy. However, the software is web-based, so we could store some kind of a hidden key in a session variable. We could then concatenate the contents of each one of the form fields that must not be alterable, and append the hidden key onto the start or end. We could then hash the resulting string to generate a fingerprint to be passed with the form. Checking the code would mean reassembling the string from the form fields and the key, hashing the result, and comparing it to the fingerprint.

The hidden key would have to be something fairly random, like a fairly strong random number generator, or even a UUID. It's not sufficient to use one single static key for the whole application, as this could be too easily found out. Nor is it ideal to have a periodically (regenerated after the application times out from lack of use) refreshed one. Though the latter might suffice, it's still potentially shared between a large number of hosts, and could be cracked by somebody determined enough.

So a session is the only way. This is tied to one client, and even if some kind of attack is made to try to decipher the key, throttling could be put in place to make sure they can't do much, and if they do they'll be noticed.

So, does anybody see any flaws in this? It's a simple enough (and frankly, fairly obvious) scheme. I'd be unsurprised if I'm not the first person to come up with this.

I'd appreciate any feedback.

Ooh! badvogato rated me as master! I'm not sure I deserve it though. And kudos to MartySchrader for certifying me too.

Having has a crappy fortnight struggling to interface with Cendant's Galileo system for work (partly because it's sadistic, and partly because I'm stupid), and a whole bunch of other crappy work-related crap, I'm now sweating like a pig, sitting behind the counter of a boiling hot gaming café. I've been run off my feet all day, and now all I want to do is sleep. Helping out friends sucks! :-)

Meanwhile, I'm finding hacking on the software to drive the FusionWiki site more fun than hacking on the project itself! The small CMS I started hacking together is beginning to take on a life of its own!

Well, I've recertified everybody who I'd given certification to in the past, but, of course, the old certifications I got still aren't showing up. Thanks to gilbou and salmoni for certifying me as Journeyer.

Something very, very odd's after happening.

Very odd. Worrying, even.

My Advogato account disappeared.

Not completely, mind you.

FusionWiki was still listed with me as lead developer. Quite odd.

So I created a new account under the same name, and lo and behold, all my diary entries were still there.

But all the certification was gone. Disappeared. Kaput.

Any of the certification I'd given to others was gone, and all the certification I'd got was gone.

And all this happened without any notice.

So, did mod_virgule cough up a furball, or did I say something?

Hrumph!

I really need to get my shit together and just do stuff rather than procrastinating all the time. Come to think of it, what am I doing here? I'm supposed to be hacking some webservices together. :-(

Preemptive new year's resolution: cut back on the number of feeds and mailing lists I'm on until I feel I'm productive again. Less bloody browsing! And worship Merlin Mann as the god he surely is. And read Gaping Void a bit more