| Title: NYPHP group meeting - Security and tamper proof URLs Post by: Gena01 on November 28, 2007, 11:36:12 pm So yesterday was my first time attending NYPHP group meeting in the IBM building. They were not kidding when they said that people should be there 6:30pm sharp. I came in like 5 minutes late and already missed a bunch of slides.  Some summary items: * HMAC is used to tamper proof URLs. * Don't use PEAR Crypt_HMAC it's bad/buggy. * PHP5.1.2 has new "hash" extension that has hash_hmac() function written in C. For older versions they claim you can grab and compile extension from PECL. * To use HMAC you need to pass at least 2 parameters in your URL: your message (or normal parameter) and then the hmac verification code. If you passing in >1 parameter then you need to HMAC ALL of the parameters. * I was really curious about single sign-on stuff which I guess could be a topic for the next meeting. I am really starting to enjoy these little get togethers. It's also a great way to meet people in the community. Looking towards the other meetings. Update: The slides have been posted by the presenter here: http://modp.com/slides/securestring/ P.S. There's a tech party coming up in like two weeks. Gena01 |