- Home /
Server side security: dynamic hash salt
Hello
I'm currently working on server / client communication. The server is simple PHP but the main requirement is that PHP script (server side) would respond only on request made from Client it self and not from Web Browser or anything alse
So in case if user sniff the network traffic, analyse it and discover direct url with request
lets assume: ***http://localhost/ServerSide?userId=some_user_id&data=some_data***
he would be able to go in browser and try to emulate the same request. to avoid that I come up with idea to use unique MD5 Hash as salt, so it will be part of URL and each time different, so only user client would be able to generate it right and it would be impossible to generate it from Browser URL
like this:
***http://localhost/ServerSide?userId=user_id&data=some_data&operationKey=someMD5Hash_ButEachTimeNew***
for example the hash could be combination of
userName+password
then Server side would be able to do look up for username and pass in Database by passed userId in URL and compare value in server side
looks like im close to the solution, but how to get hash different for each new request?
add time? userName+password+currentTime
but then what if my server hosted in UK at GMT0 and client from USA where 6 hours difference? server side time and client side time would not match, that would mean that server will fail do generate axactly the same set of characters in string what will leads to fail generate exactly the same md5 hash key
Could you give me an advise on how to bring in some uniqueness to the hash where:
someSalt is new for each request (like time)
someSalt is the same on server and client?
or any advice on how to sync date time with server and preferably not in obvious way as if user analyse traffic he would be able to see clearly that time is synced and that might hint him that one of the value in MD5 is time
Thank you very much my lovely community :D
Your answer
Follow this Question
Related Questions
using System.Security.Cryptography; 1 Answer
Where can I find all the installer's hashes? 1 Answer
Network.Instantiate and the Trusted Client problem 0 Answers
Client Server Login, Security! 2 Answers
Saftey on Unity Servers 0 Answers