You will need to implement some sort of signature along with all your messages.
If the actual security requirements are light (i.e. protection against the casual "hacker") then you could hash every message combined with a value specific to each client, then include the hash along with the message. On server side, you repeat the process and check the incoming hash against the resulting one. Obviously you will need a value specific to each client, which should be reasonably hard to get for the intruder. To generate one you could use Diffie-Hellman or something similar (in Javascript? over HTTP? auch!) or you could simply send a random value from the client with the first request and hope the intruder was not there to see it :) Please note that this "single vulnerable message" is only slightly better than no protection at all (the cookie is visible in each request, the random value only once). For any stronger security concerns than the above scenario I would strongly recommend "the beaten path", i.e. https, against any home-brewed protocol. HTH. ----- Original Message ----- From: "scconsulting" <scconsult...@free.fr> To: "ICS support mailing" <twsocket@elists.org> Sent: Friday, January 16, 2009 1:57 PM Subject: Re: [twsocket] NIC list > Indeed if a "spy" is observing packets from the beginning of session this > will not work, I was certainly drunk when I posted ;) > > If I don't want to use https , given the fact I control the source of both > client and server , is there any alternative mechanism I can use to avoid > fake messages from clients ? > > > > ----- Original Message ----- > From: "Florin Vancea" <fvan...@maxiq.ro> > To: "ICS support mailing" <twsocket@elists.org> > Sent: Friday, January 16, 2009 7:23 AM > Subject: Re: [twsocket] NIC list > > > > Anyone capturing the session ID will capture the IP you send, too. > > If you are concerned about security, use https with your cookies. > > > > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be > > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
