Re: a challenge
You're right - since you can't decrypt, you can't check expiration
(easily). Although you could potentially run a loop to check against a
range of values; depending on how precise you need it to be. For example,
if tokens can expire on a 15-minute granularity then it's not too much of
a problem to simply check each of them manually.
The typical way to do that is:
if (crypt($plain, $crypted) eq $crypted) {
you guessed right.
}
>From perldoc -f crypt:
When verifying an existing encrypted string you should use the encrypted
text as the salt (like `crypt($plain, $crypted) eq $crypted'). This
allows your code to work with the standard `crypt' and with more exotic
implementations.
----------------------------------------------------------------------
Andrew J Perrin - andrew_perrin@unc.edu - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
269 Hamilton Hall, CB#3210, Chapel Hill, NC 27599-3210 USA
On Thu, 18 Oct 2001, martin f krafft wrote:
> * Andrew Perrin <aperrin@email.unc.edu> [2001.10.18 10:44:40-0400]:
> > Just an idea...
>
> in fact, hold on... crypt is a hashing function, you can't decrypt it.
> but how then would i go about to check if a token had expired?
>
> assuming i get something like "mdIdT8MGyu.z2" there is no way to
> figure out if the timestamp stored is less than (earlier than) a given
> timestamp...
>
> this won't cut it, i am afraid (unless i am overseeing the trivial, as
> usual)...
>
> thanks though andrew!
>
> --
> martin; (greetings from the heart of the sun.)
> \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
>
> micros~1: for when quality, reliability, and security
> just aren't that important!
>
Reply to: