| commit | 598af3ecbd3d9a705ee3d1e03cffe3a39cdfc685 | |
| author | Kyle J. McKay <mackyle@gmail.com> | |
| Sat, 13 Feb 2021 22:40:46 +0000 (13 15:40 -0700) | ||
| committer | Kyle J. McKay <mackyle@gmail.com> | |
| Sat, 13 Feb 2021 22:40:46 +0000 (13 15:40 -0700) | ||
| tree | 826b16710465025e502ca20f33398211d512cb54 | treesnapshot (tar.gz zip) |
| parent | 5447082ce7b5b13350833f27e25b3045c6dc4690 | commitdiff |
Girocco/TimedToken.pm: add support for timed tokens
A timed token is a cryptographically protected string that can be
included within a page sent to a client (i.e. hidden form field,
cookie, segment of url, etc.).
When the server receives the token, it can verify whether or not
it has expired in a cryptographically secure way.
The tokens are created using HMAC and a "secret" key. As long as
the "secret" key is not available to remote clients, forging a token
would require finding an HMAC collision (much harder than just a
plain hash collision).
Of course, the same information (validity time range) could simply
be included on a page in plain text and then signed with an HMAC
also included on that page, both of which are sent to the server
for verification.
However, these tokens are self-contained and inscrutable without
the "secret" key and a bit more convenient to use since no extra
information need be transmitted, just the token itself. And since
the tokens are url safe (they need neither URL escaping nor HTML
escaping because they use the base64url alphabet excluding '='),
they can easily be embedded most anywhere.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
A timed token is a cryptographically protected string that can be
included within a page sent to a client (i.e. hidden form field,
cookie, segment of url, etc.).
When the server receives the token, it can verify whether or not
it has expired in a cryptographically secure way.
The tokens are created using HMAC and a "secret" key. As long as
the "secret" key is not available to remote clients, forging a token
would require finding an HMAC collision (much harder than just a
plain hash collision).
Of course, the same information (validity time range) could simply
be included on a page in plain text and then signed with an HMAC
also included on that page, both of which are sent to the server
for verification.
However, these tokens are self-contained and inscrutable without
the "secret" key and a bit more convenient to use since no extra
information need be transmitted, just the token itself. And since
the tokens are url safe (they need neither URL escaping nor HTML
escaping because they use the base64url alphabet excluding '='),
they can easily be embedded most anywhere.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
| Girocco/TimedToken.pm | [new file with mode: 0644] | blob |