| English term or phrase: dynamic application key | You are absolutely correct. What I said doesn’t solve the problem. I was thinking about this and then got distracted. I forgot to tell you about the dynamic part of the key.
What I’ve done in the past is to have the host application create a dynamic application key containing the secret string, but also concatenating a time code, a session ID, an IP address, or some other value that changes but can be independently matched. One nice thing about Cold Fusion is that it generates globally unique session IDs for you. This scheme sometimes takes some thought. The concatenated key is encrypted and sent to the client. The client, in turn, sends this to the receiving service. The service then decrypts and parses the application key, using a decryption key known only to the service and the original server. The service then authenticates the key by comparing the secret word as well as the dynamic information against the independently derived values. The details are usually dependent upon the business rules of the application. This means that even if the key is stored and reused, the bogus access will either be prevented, will return useless information, or prevent a forgery or corruption of the data stored. I have used this method to transmit secure URLs in emails. One problem with using time in application the key is that it prevents the key from being stored for future use. This may not be desirable. |
| |
The translation workplace 
peer agreement (net): +3
