The newLISP on Rockets blog

 RSS Feed for this blog

Salted cookies! Yum!


Post #: 36
Post type: Blog post
Date: 2012-10-10 20:56:22.000
Author: Rocket Man

Cookie security is something many sites don't bother with, because who would ever fake a cookie? Well, as it turns out, a lot of people could do just that.

Cookie security best practices have been known for a while. This article from 2005 lays them out pretty nicely: http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/

Basically, you want to have a random number as your cookie, but then the value should not just be the user Id. It should be hard to guess. And what if a user registers and then copies your carefully-selected random number cookie but just changes the user id? Then they could log in as any user they wanted!

So what we do is add some salt to the cookie in the form of ANOTHER random number, each one unique to each user. The salt is stored in the user database, so it isn't available to the public. This makes every cookie unique for each user.

You also want to be running everything under SSL (aka https) to avoid issues with people stealing cookies with things like FireSheep over WiFi connections, but that's something that can be up to the site administrator.



Views: 5879


I have an About page!


Post #: 35
Post type: Blog post
Date: 2012-11-01 17:21:16.000
Author: Rocket Man

It's no Cave Troll, but it will have to do.

Click the "About" link on the top bar to read it!



Views: 5185


Redirections ahoy!


Post #: 34
Post type: Blog post
Date: 2012-10-09 23:51:50.000
Author: Rocket Man

I have implemented redirections, which are basically just HTTP status codes that point the site to a new page. The command is:

(page-redirect url-of-page-to-redirect)

The way it works is that if the logic in your code (say, successfully signing in) should then move you to another page, it does so and immediately exits, without printing anything else, even if you have put (display-page) later on in the page. So, in our example, if the username and password are valid, it just puts you back to the main page. If they are not valid, it will display a message normally with (display-page).



Views: 5238


Welcome to the front page!


Post #: 33
Post type: Blog post
Date: 2012-10-04 22:10:57.000
Author: Rocket Man

Since I've disabled non-admins from posting new blog entries, I thought it was safe to move the newLISP on Rockets Blog to the front page of newlisponrockets.com. Wow, that's a lot of saying newlisp on rockets. Did I mention my email was newlisponrockets@newlisponrockets.com?

newlisp on Rockets.



Views: 5156


ONLY I MAY POST!!!


Post #: 32
Post type: Blog post
Date: 2012-10-04 20:44:36.000
Author: Rocket Man

Muahahahaa! Mine is an evil laugh!

No, this is just a side-effect of getting user sign-in working. I have the only account, since I haven't done the Registration part yet.

The plan is that only I will be able to make new blog posts, but anybody who has registered will be able to comment on blog posts.



Views: 5207


Hashing and salting user passwords


Post #: 31
Post type: Blog post
Date: 2012-10-04 00:01:50.000
Author: Rocket Man

It's generally considered to be a bad idea to keep clear-text passwords in your database. If the database is ever compromised, hackers will have everyone's passwords.

What most sites do is hash the passwords using a one-way algorithm, like SHA1, which is a 160-bit encryption. Newlisp has a SHA1 function included in the module crypto.lsp.

Unfortunately, hackers these days use dictionary-based attacks, where they take every word in the dictionary (and many common password combinations that include numbers or years) and then just run them through SHA1 or the equivalent, and check to see if they match the compromised stored password hash.

To prevent this, people have been adding salt to the passwords and then encrypting THAT. Salt is just a random number. Each user gets its own Salt, which is stored in the user database. This way, attackers would have to run separate dictionary attacks for every user, and that's assuming they know the salting algorithm.

I found a great article on password security here: http://phpsec.org/articles/2005/password-hashing.html

It outlines the whole process and shows how to handle it in PHP. I'm building in the equivalent in Rockets using newLISP code, which will be part of the user sign in process.



Views: 6028


Cookies! Fresh out of the oven!


Post #: 29
Post type: Blog post
Date: 2012-10-03 21:28:17.000
Author: Rocket Man

After much soul-searching, I went ahead and implemented the delayed-write method I talked about in my earlier posts.

At first I tried to overload (print) and (println) and it worked but jumping in and out of different contexts made messed up my ($POST) functions, and I thought I'd simplify my life by just defining new functions: (display) and (displayln). Then at the end you (display-page). You can also (display-image) and (display-post-box). Kind of a theme going there.

Anyway, (set-cookie) now adds a cookie to the header that will get posted when the page itself is displayed. It seems to be working, so hopefully I can now work on getting user sign-in happening on the Rockets blog!



Views: 5091


Posted from my iPhone


Post #: 28
Post type: Blog post
Date: 2012-09-27 00:11:21.000
Author: Rocket Man

Yes. It was.



Views: 5106


Try it on your iPhone...


Post #: 27
Post type: Blog post
Date: 2012-09-26 23:11:12.000
Author: Rocket Man


Thanks to Bootstrap's "reactive" ability, you'll notice it gets automatically reformatted and the menus work differently.

I think it's pretty neat.



Views: 5690


Fancy graphics!


Post #: 26
Post type: Blog post
Date: 2012-09-26 23:10:52.000
Author: Rocket Man

Courtesy of Bootstrap, the open-source CSS and Javascript library released by Twitter.

Bootstrap is based on jQuery, which I use a lot and which will be fully integrated into Rockets.



Views: 5267