4

I was wondering: it now seems to be more and more common to see people/framework putting cryptographic tokens in the URLs their webapps are generating (to prevent quite effectively against quite some attacks). It is advised by OWASP etc.

However I was wondering: what was the earliest known usage of this technique (specifically inside Web URLs)?

I've found a message on Usenet dating from 2003 (for a Java webapp) describing the technique by someone who, obviously, independently discovered it (he's asking for know "prior art"):

Every single link in any of the jsp page transmitted to the client is 
generated with a checksum that act as a signature for the URL

The description clearly shows it's a cryptographic checksum being used (and the way it works seems very close to the modern "tokens" OWASP advocates etc.).

Interestingly enough the person describing it says that "it cannot hurt" but that it may not be that useful since that Java is relatively immune to buffer overflow. The author couldn't have imagined that this technique would has stopped most XSS and CSRF exploits dead in their track way before these techniques were even invented...

So my question is simple: what are the oldest know usage of this technique you know of?

EDIT Upon re-reading the old description, I think in that message from 2003 the technique is even more advanced than the "per-session tokens" that OWASP advocates in that every single parameters are checked against forgery (but I'm not sure)

Cedric Martin
  • 1,067
  • 10
  • 16
  • 1
    *(I hope this very real question for which, indisputably, there exist very valid answers, won't be closed)* – Cedric Martin Nov 08 '11 at 17:12
  • What problem are you trying to solve? What benefit is there in knowing when the earliest usage of this technique was. – ChrisF Nov 08 '11 at 17:15
  • @ChrisF: If someone were to ask: *"When did Huffman discover his minimum-redundancy-code"* and you knew the answer, would you give him the answer or tell him: *"What benefit is there in knowing when Huffman made his discovery"*? How's that not interesting to programmers? – Cedric Martin Nov 08 '11 at 17:21
  • 3
    It may be *interesting* but it's not what this site is about. Please read the [FAQ] to see what sort of questions do well here. – ChrisF Nov 08 '11 at 17:22
  • Please move question to cryptography site. Btw PHP 3 (introduced 1998) already supported cryptographic session IDs. – tuergeist Jan 03 '12 at 07:48
  • 1
    @tuergeist We've already asked the Cryptography mods and they don't want it. Programming history is ostensibly on-topic here. –  Jan 03 '12 at 08:01
  • @MarkTrapp, didn't you say that history is only on-topic if it [relates to a practical problem](http://meta.programmers.stackexchange.com/questions/2021/are-programming-related-history-trivia-questions-acceptable-on-p-se), and otherwise is trivia? The current question certainly seems trivial to me - not sure what problem it solves. – Cyclops Jan 03 '12 at 13:24
  • @Cyclops While that's guideline still holds, I think this question is an gray area: I likely wouldn't fight to keep this open if it were closed, but I'm not going to close it unilaterally. It might be worth asking about on our meta-discussion site to solicit the rest of the community's advice on. –  Jan 03 '12 at 19:23

1 Answers1

2

PHP (as non JAVA) language that was developed for web applications uses cryptographic hashes in URLs to identify and track a user since 1998. It is known as session ID.

Java Enterprise 1.0 was released in December 1999 and also uses session IDs in URLs.

But I am still unsure what you EXACTLY want to know.

tuergeist
  • 156
  • 7