Joined November 2012
·

Tim Fernihough

Co-founder and Head of IT Operations at Myplanet
·
Toronto, ON
·
·
·

@hisnameisjimmy - glad it was able to help someone else. That was the hope. I find myself Googling in desperation in situations like this and when I can't find a solution but stumble onto one on my own; it's almost an obligation to share (if you're a good person of course lol).

Have a great day.

Hi r3trosim. I'm not clear on how it being a Windows machine that you used might have caused the issue. Sorry that you're having difficulty.

I didn't do it incrementally, no. Just the latest firmware at the time.

Posted to Dealing with Coderwall Spam over 1 year ago

@mdeiters I'm currently researching to see if there is an answer to my question but is there a way to flag comments as spam yet? I'm getting a ton of spam comments on my otherwise legitimate posts. For example: https://coderwall.com/p/xdljzq/difference-between-php-sessions-and-cookies - the last handful of comments are just garbage and I can't remove them.

Posted to Dealing with Coderwall Spam over 1 year ago

I'm currently researching to see if there is an answer to my question but is there a way to flag comments as spam yet? I'm getting a ton of spam comments on my otherwise legitimate posts. For example: https://coderwall.com/p/xdljzq/difference-between-php-sessions-and-cookies - the last handful of comments are just garbage and I can't remove them.

cc/ @mdeiters

Hi James, thanks for the response.

So after you enter the Mac address, what happens? Does the phone go into a "Resetting configuration" process?

Tim

@gump2 - thanks for giving this a shot. Apparently following these steps for Ubuntu 10.04.1 LTS works but on Ubuntu 10.04.4 LTS it did not. Just a disclaimer for anyone trying these steps.

@gump2, my sources.list values are as follows:

deb http://archive.ubuntu.com/ubuntu/ lucid main restricted universe

deb-src http://archive.ubuntu.com/ubuntu/ lucid main restricted universe

deb http://archive.ubuntu.com/ubuntu/ lucid-updates main restricted universe

deb-src http://archive.ubuntu.com/ubuntu/ lucid-updates main restricted universe

deb http://security.ubuntu.com/ubuntu/ lucid-security main restricted universe

deb-src http://security.ubuntu.com/ubuntu/ lucid-security main restricted universe

thanks @peacengell! Appreciate the further knowledge share

@alchemycs I could definitely see that being a pain point for sure! If you are writing your own upload library, I could see that being something the developer could easily control but if they are using something pre-built like the Webforms in Drupal; wonder how we'd be able to get around that? Creating a patch and submitting it against the Webform Module I guess. :)

Glad that it was helpful to you guys!

Posted to Java 0 day vulnerability in the wild over 1 year ago

Awesome @elecay! Thanks for keeping this post updated.

@kunalvarma05
Well with login I would recommend a cookie. There is no need to use a session and all well known frameworks and content management systems set a cookie. It's up to you to set a normal cookie or a session cookie depending on what your business logic requires (ie, so the user is logged out if they close the browser). Typically, even a non-session cookie has a lifetime somewhere on the order of a few months. If you want to accomplish a persistent login session similar to Facbeook where a user checks off a checkbox that says something like "keep me logged in", that is a hashed/salted cookie value that matches an entry in the database for a given user. This allows for a cookie that ultimately never dies until the user clears their cookies.

I saw your original post actually said credit card details. Under no circumstances should you be storing anything having to do with credit card details in a cookie. I assume you're building a front-end interface that interacts with a 3rd party credit card gateway. If you're simply trying to accomplish some form of recurring billing, look into their API. They likely have a token based system to accomplish this. Your site visitors will appreciate knowing that you take the security of their details seriously.

Hope this helps!

@kunalvarma05
Happy to help - do you have a particular scenario that might be easier to work with? Perhaps we can use your example.

@kunalvarma05

It really depends on what you're doing. You'll never want to trust something from the browser just as-is. Anything stored in a browser (ie, a cookie) can be modified so that poses a potential problem.

With PHP Sessions, you generally have to create an identifier for that user (and store it in a cookie). Don't store a raw value in that cookie that is passed into a database query in order to retrieve data. A modification to the cookie would mean the identifier is lost but if someone gets a hold of your session id somehow, your session could be hijacked.

Summary
Use a cookie whenever possible with encrypted values.

If the situation allows it and the data you are storing is not critical, don't store it in plain text but rather encode the value using a decent encryption algorithm and then store it in a cookie. If the situation demands that you use a session with an identifier cookie but you're concerned about session hijacking - simply make sure that the IP address or something somewhat uniquely identifying is fed in as a parameter to the algorithm that generates the session ID.

Achievements
2,036 Karma
285,591 Total ProTip Views