CrazyDoctor Posted May 18, 2010 Posted May 18, 2010 (edited) Hi all,Sometimes when I surf on the internet, I see that the website give me my "secret key".It's a combination of 32 digits and letters without any sense.Example for one of this:827ccb0eea8a706c4c34a16891f84e7bWhat this is for?What this key tell me and what can I do with this?Thank you very much! Edited May 18, 2010 by CrazyDoctor
Tripredacus Posted May 18, 2010 Posted May 18, 2010 Its a hash key, typically used for session verification.
gamehead200 Posted May 18, 2010 Posted May 18, 2010 MD5 is one of the most commonly-used hashes: http://en.wikipedia.org/wiki/MD5Example: The MD5 hash of 12345 is 827ccb0eea8a706c4c34a16891f84e7b.
CrazyDoctor Posted May 18, 2010 Author Posted May 18, 2010 What does MD5 use for facebook applications?
cluberti Posted May 19, 2010 Posted May 19, 2010 I think you might mean, what does facebook use MD5 hashes for? Like a previous poster said - it's part of your authentication token. FB uses the session cookie, your user/pass hash, and an MD5 hash (probably built out of a few other pieces of info) to authenticate that you, are really you.
CrazyDoctor Posted May 19, 2010 Author Posted May 19, 2010 I think you might mean, what does facebook use MD5 hashes for? Like a previous poster said - it's part of your authentication token. FB uses the session cookie, your user/pass hash, and an MD5 hash (probably built out of a few other pieces of info) to authenticate that you, are really you.Sounds interesting, but why do I have to see my MD5?Is that not an action behind the scenes?Do I have any use with my MD5?Behind of that, if I install any facebook application, the creator of that app can detact my facebook password?
Tripredacus Posted May 19, 2010 Posted May 19, 2010 (edited) I think you might mean, what does facebook use MD5 hashes for? Like a previous poster said - it's part of your authentication token. FB uses the session cookie, your user/pass hash, and an MD5 hash (probably built out of a few other pieces of info) to authenticate that you, are really you.Sounds interesting, but why do I have to see my MD5?Is that not an action behind the scenes?Do I have any use with my MD5?Behind of that, if I install any facebook application, the creator of that app can detact my facebook password?You see it partly because Facebook is lazy. There are other ways to do it, but who knows why FB decides to show it to you. It has nothing to do with your password. Here is a general example of why they use this type of info. Say you go to a website. When you get there, it creates a cookie. Inside the cookie is a temporary MD5 hash value. This is also stored in your browser session. This way, the site will check everytime you go to a page to see if you are logged in. It may do this by making sure the hash in your browser session matches the one in your cookie. If they are the same, you are logged in. If they are not the same (or the cookie is deleted) you are not logged in anymore. You can even try that here, MSFN does not put the hash value in the URL for you to see, but it is there. Go and delete your cookie and refresh the page. You will not be logged in anymore!Anyone who is smart at webpage security would make it so the hash has an expiry. So that no one can take your cookie to steal your login. In the best cases, there are 3 keys used by the website. One in the cookie, one in the browser and one on the server. This way, you can say (A + B) * ServerCode = C. So that the cookie and browser key can be different, but the server can take both of them and generate a third key it keeps to itself. So as long as A + B = C you will be logged in. Edited May 24, 2010 by Tripredacus disabled emotes
cluberti Posted May 20, 2010 Posted May 20, 2010 I don't think it's lazy, I think it is more likely the way the Facebook javascript APIs are written (for website integration by non-Facebook sites). The only way for Facebook to get access to determining that you are you through a 3rd party site is to use a cookie and a key (in this case, the MD5 hash). It actually makes sense to see it in the header if you think about how Facebook is modularizing and providing SDK access to the site.Or, it might just be developer indolence .
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now