Re: CSRF prevention token, why not HMAC_sha1(secret, action_name + session_id)?



oddmund <oddmund.mogedal@xxxxxxxxx> wrote:
[...]
HMAC_sha1(action_name + secret, session_id)
[... vs ...]
HMAC_sha1(secret, action_name + session_id)
[...]
Would this make any difference from a security perspective, or is it
equivalent?.

For your purposes, it would seem equivalent.

--
Kristian Gjøsteen
.