Solving Data-Transfer Problems

The developer can prevent attackers from modifying data that is supposed to be hidden by managing the session information, by using GUIDs, or by encrypting the information.

Managing Session Information Most server-side scripting technologies allow the developer to store session information about the user—this is the most secure method to save session-specific information because all the data is stored locally on the web server machine.

Don't use plagiarized sources. Get Your Custom Essay on
Solving Data-Transfer Problems
Just from $13/Page
Order Essay

Using GUIDs A globally unique identifier, or GUID, is a 128-bit randomly generated number that has 2128 possible values. GUIDs can be used as user identifiers by the web application programmer. Assuming a web server has 4 billion users (about 232, which is more than the number of people who have Internet access), this means there are on average 296 possible values per user (2128/232 = 296). Since 296 is approximately 7 followed by 28 zeros, the attacker will have no chance of guessing, and thus accessing, a correct GUID.

Encrypting Data The developer can pass encrypted data rather than passing the data in cleartext. The data should be encrypted using a master key (a symmetric key that is stored only at the web server, and used to store data at the client side). If an attacker tries to modify the encrypted data, the client will detect that someone has tampered with the data.

NOTE Never use a derivative of the user’s information as a hidden identifier, such as an MD5 hash of the username. Attackers will try to find such shortcuts and exploit them.


and taste our undisputed quality.