In a CMS app I occasionally need to open an iframe of another domain. At the moment I am setting the URL for that iframe to something very obscure. Like http://domain.com/iframe/jhghjg34787386/. This works but theoretically that iframe source url will get saved in the user's history and could be accessed from the outside world.
So, I am wondering about using a time-based approach to an ever-changing hash or string that is processed on the request side and is checked on the iframe source side. However I would like it to be time based.
I could do this to get my hash:
<?php
$seed = '123456789'; // a password that both the parent and source have
$string = md5(time().$seed);
?>
But then the two servers have to be exactly synced. Any way to make the time constraint more fuzzy?
I am also open to other approaches. Is there any way to validate that the parent window for an iframe is of a certain domain?
WordProof adds that hash to a blockchain transaction, after which it can't be altered or removed. This hash, stored in a blockchain, is what we call a timestamp.
Commonly used hashing algorithms include Message Digest (MDx) algorithms, such as MD5, and Secure Hash Algorithms (SHA), such as SHA-1 and the SHA-2 family that includes the widely used SHA-256 algorithm.
Hashing vs EncryptionHashing and encryption both provide ways to keep sensitive data safe. However, in almost all circumstances, passwords should be hashed, NOT encrypted.
Hashing is the practice of using an algorithm to map data of any size to a fixed length. This is called a hash value (or sometimes hash code or hash sums or even a hash digest if you're feeling fancy). Whereas encryption is a two-way function, hashing is a one-way function.
Several applications of hashing were presented in this article. Hashing is used to achieve data integrity. HMAC is an authenticated hash and is used to achieve data integrity and authentication. Digital signature provides non-repudiation and is based on encrypting the hash of the message with the private key.
Introduction Hashes are often used in computer security. This article presents how data integrity, authenticated data integrity and non-repudiation can be achieved using hashes. Finally it shows how to build a one-time password system using Lamport hash chain. 2. Hash and HMAC Let’s assume that Alice wants to talk to Bob.
Hashes are the output of a hashing algorithm like MD5 (Message Digest 5) or SHA (Secure Hash Algorithm). These algorithms essentially aim to produce a unique, fixed-length string – the hash value, or “message digest” – for any given piece of data or “message”.
A single password and hashing were used to generate one-time passwords and there are no secrets stored on both sides of the communication (authentication server and user). 5. Conclusions Several applications of hashing were presented in this article. Hashing is used to achieve data integrity.
You could add a key to your hash and send the timestamp with the query, e.g.:
$key = "YOUR_SECRET_KEY";
$time = time();
$hash = hash_hmac('sha256', $time, $key);
$url = "https://example.com/iframe?hash=$hash&time=$time";
On the other side you should first check if the timestamp is in the limits (e.g. not older than five minutes) and than rehash with the key and the submitted timestamp. If you get the same hash the request is valid.
Notes:
hash_equals
for comparing hashes to prevent timing attacksIf you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With