First I've create an Oracle with is creating highly depending oracleKeys (class OpenCommentSecurities)
Each oracleKeys create by the Oracle has the following properties:
- oracleKeys returned are always MD5 encrypted
- oracleKeys are depending of current date and time, server and user browser agent
- oracleKeys can timeout
|$key = session_id();|
$key = $_SERVER['REMOTE_ADDR'];
$value = $key .
date("F j, Y, g a");
All AJAX enable functions will test the oracleKey submitted by the browser, (can timeout!), so nobody should be able to make mass attack on OpenComment across multiple server All comments will be identified by a hidden field, I name them commentChallengeKeys, they have the following properties:
- commentChallengeKeys in page are always MD5 encrypted
- commentChallengeKeys have a common base with the oracle, a oracleKey for each comment
- commentChallengeKeys are made of the a Universally Unique IDentifier, version 4 (UUID), Yes Ive get rid of the id, the sql key entropy is higher and UUID should never colllide in a reasonable amount of time when You merge data across databases
|return md5($oracleKeys.$commentUUID) ;|
All AJAX enable functions will test the oracleKey submitted by the browser AND the commentChallengeKeys, so nobody should be able to replay the same RateUp/Down attack on multiple server.
All parameters pass to AJAX will be sanitized on the server to avoid XSS attacks $commentTitle = mysql_real_escape_string(strip_tags($title));
- Avoiding user to Rate comments too often is still not solve...
- I will welcome any code review or help...
- Migration scripts...
- Administrator panel has to be brng up to date...
- Testing, testing...
- Code reviews...