Welcome Guest, Not a member yet? Register   Sign In
Securing individual RSS feeds
#1

[eluser]Philipp Gérard[/eluser]
Hey there,

I am looking for a solution to secure individual RSS feeds (in this case from a bulletin board module I wrote with CI for a larger site) using some token algorithm. Imagine I want to have an URI like 'mysite.com/forum/feed/sa9219021098sa9s09880gh98h0' for the feed where the last part is the token that identifies the user and thus prevents others from acessing his personal feed/data because this token is private. Does anyone know a default implementation of this and what obstacles to expect and avoid? Is there a CI class somewhere floating around waiting for me to pick and implement into my site? Any experience? I'd be happy to share my class once I've done working on it if I have to implement it myself.

Thanks in advance,
Philipp
#2

[eluser]Philipp Gérard[/eluser]
No hints whatsoever?
#3

[eluser]n0xie[/eluser]
What class would you need? Wouldn't this be enough?
Code:
class Forum extends Controller

  function feed($token)
  {
    if ($token == $some_database_value)
    {
      // show rss feed
    }
    else
    {
      // don't show rss feed
    }
  }
}
#4

[eluser]Philipp Gérard[/eluser]
Well, I know how if/else works. The question is (a) how you generate the token, (b) how you validate it and © how you make sure it is a secure token that can't simply be faked (md5($username) == FAIL).
#5

[eluser]n0xie[/eluser]
a. Use some algorithm based on info only YOU have (user_id and some secret. user_id prevents accidental collisions) plus some info that is unpredictable (some random number) plus some info that is time based to prevent same user collision hashes. Or whatever else you can come up with. In the most basicform:
Code:
private function gen_token($user_id, $secret)
    {
        return md5($user_id . $secret . mt_rand() . time());
    }

b. Store the token in the database identifying the user. Match the URL against the token. Now you know which user it is and thus what you should display. If no matches were found you could add some time based waiting system that disallows users from that IP to try and 'guess' hashes. This works well against brute-force attacks.

c. Every token can be faked. There is no protection against people randomly trying out hashes in the URL. You could implement another security measure (user has to be logged in and user_id of logged in user must match user_id of token) but this would be tricky if people want to use a RSS reader or any other means of retrieving the RSS feed without using a browser.




Theme © iAndrew 2016 - Forum software by © MyBB