[security] One time form tokens

[gaz_sec at hushmail.com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all

I would just like to make this important point as some OpenID
servers do not use form tokens at all. Any OpenID server not using
some kind of one time form token is insecure. You are creating a
massive hole for any hacker to exploit your users if you do not use
them!

If you do not know what a form token is, here is a brief simplified
explanation:-

A form token provides protection against forms of attacks (e.g.
CSRF *), which allows a hacker to use your form in a way it wasn't
intended. The idea being that a form token appears as a hidden
field that can only be used once. It should be a random key, which
is longer than 5 characters, and ideally mixed case alphanumeric
and non-alphanumeric characters that is then hashed using MD5 or
SHA1 or similar hashing method with a salt *. The form token should
only be able to be used for that session and that user.

* http://en.wikipedia.org/wiki/Cross-site_request_forgery
* http://en.wikipedia.org/wiki/Salted_hash

Another useful tip for securing OpenID servers is to use referrer
checking, now you might think that this is useless because the
referrer can be faked. However in javascript it is more difficult
for a hacker to fake the referrer header, as headers can't be
easily sent with form posts so referrer checking can actually
increase the security of your server and prevent some CSRF.

Cheers

Gareth
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkYeCf0ACgkQrR8fg3y/m1DmLgQAiOCQPEBJHADU6geMZ9Omh0YdtgT/
9b96oOheJZpfn7PSCzZgHOdeF80jhQjOTBTCdTHWrCqD4vAK+jjcQ9CoYlEs8BvwywRE
XYf4VILbhbsIQq5uFILVI/f6twP3uUaHG2BoWF2rMVGlriwBN8BW6L7ne86/1gMnamgE
UGeKV/s=
=qo8l
-----END PGP SIGNATURE-----

--
Click here to find a massage therapy school near you. 
http://tagline.hushmail.com/fc/CAaCXv1JMXYkG1dKbobGJuG5U4y2tOoY/