1

I'm writing a database front end for a website. Next to the records I want to include a link likes this:

 Record 1 - [Add][1] [Edit][2] [Delete][3]

But I want to protect these links from being used more than once. My thinking is to pass a hash value then store a list of valid HASH values in a table somewhere and only process requests with valid hash values. Is there a better way to do is?

Update: The answer to this question led me to ask this question: What is the difference between a "nonce" and a "GUID"?. Why exactly would you use a nonce instead of a GUID?

Community
  • 1
  • 1
Michael Shnitzer
  • 2,465
  • 6
  • 25
  • 34

1 Answers1

2

Your idea is correct, except that you should use cryptographically secure random bytes (a "nonce") instead of a hash.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • I'm hoping to find some method that would allow me to determine wether this was a first-time request without hitting the database. That would help protect from DOS attacks as well. – Michael Shnitzer Jul 11 '10 at 02:41
  • I've read a little more about "nonce" value. Is it really the same idea as using a hash, but using the nonce value as the hash? For example, if I created GUID values using the perl Data::GUID module and used those for hash values would that be "nonce"? – Michael Shnitzer Jul 11 '10 at 02:53
  • The point of the nonce is to be unpredictable. If you use a hash, you should use a keyed HMAC SHA 512 hash with a random key, and you should change the key frequently. – SLaks Jul 11 '10 at 03:22