[thesite] how ueue works

Daniel J. Cody djc at starkmedia.com
Thu Oct 18 13:36:34 CDT 2001 

ok, heres an example that will clear it up i think :)
(only using a very simple example here for time purposes)
when i login to ueue.evolt.org it will check for my username and passwd. 
in the live DB.  if they're correct, it says, "Ok, lemme set dans userid 
to a cookie and also run his userid through a MD5 algorithm and set that 
as a cookie too".

the first cookie is in plain text. the second one is a once in a 
lifetime string set with the MD5 protocol. it takes my userid and sends 
it through an algorithm using a couple variables like so:

userid_hash = MD5(userid.SUPERSECRETPASSWORD) and gets 
3cc076a28ccb2505ea525aca65e1185b as a result. therefore,
userid_hash = 3cc076a28ccb2505ea525aca65e1185b

ok, still with me? :)

it then sets two cookies for me:

userid = 5
userid_hash = 3cc076a28ccb2505ea525aca65e1185b

and sends me on my merry way back to members.evolt.org.

members.evolt.org looks at my cookies and says, "Ok, this person has a 
couple *.evolt.org userid cookies. lemme check them"

(remember that m.e.o 'knows' what the SUPERSECRETPASSWORD is)
it then takes the userid cookie, and says, "Ok, this guy is claiming he 
has a userid of 5. lemme double check"

m.e.o then looks at my userid_hash cookie and does something like this 
psuedocode:

START.
IF:

MD5($ueue.evolt.org.cookie.USERID*SUPERSECRETPASSWORD) = 
$ueue.evolt.org.cookie.USERID_HASH

THEN:

set members.evolt.org.session.userid = ueue.evolt.org.cookie.userid
  & location = members.evolt.org/index.cfm

ELSE:

echo "Fuck off and have a nice day! :)" & location = ueue.evolt.org

END.

$ueue.evolt.org.cookie.USERID is just the plaintext USERID cookie. and
$ueue.evolt.org.cookie.USERID_HASH is one created from the MD5 algorithm.

still with me? :)

if the plaintext cookie and the 'hashed' cookie don't match up when the 
Child Server(m.e.o in this case) runs MD5 'against' the plaintext and 
the SUPERSECRETPASSWORD, it boots you back and calls your mom.

MD5 is kinda like multiplying two prime numbers together if you think 
about it.. its easy to multipy
20988936657440586486151264256610222593863921
times(*)
20988936657440586486151264256610222593863921
to get our 'hash':
4.4053546201005321934871230285669e+62

but *fuck* is it hard to try to figure out what two numbers you have to 
multiply together to get :
4.4053546201005321934871230285669e+62

and MD5 is like 3l337e+3l337 times more difficult than that :)

it comes down to the fact that our applications are giong to 'know' the 
two prime numbers(userid, SUPERSECRETPASSWORD) while Joey Cracker with 
his m.e.o account only knows 1, which with a fucking Cray he could 
figure out, but if he has a Cray, I say we just give him access and save 
everyone the trouble ;)

hopefully that clears it up a bit, keep asking me if now and i'll try 
again :)

.djc.
yes those are real prime numbers :)

.jeff wrote:


> isn't the value of the cookie already hashed?
> 
> perhaps i'm not understanding because my assumption of the value contained
> in the cookie is different than yours.

More information about the thesite mailing list