Feed Sign in with OpenID OpenID

Simon Willison’s Weblog

Django snippets: Sign a string using SHA1, then shrink it using url-safe base65. I needed a way to create tamper-proof URLs and cookies by signing them, but didn’t want the overhead of a full 40 character SHA1 hash. After some experimentation, it turns out you can knock a 40 char hash down to 27 characters by encoding it using a custom base65 encoding which only uses URL-safe characters.

Posted 27th August 2008 at 10:18 pm

Tagged , , , , , , , , , ,

6 comments

  1. That could be useful. Thanks!

    Julian - 28th August 2008 00:17 - #

  2. Oh, and you are sure you don't mean base64?

    Julian - 28th August 2008 00:20 - #

  3. MMmm... not sure it's really worth the effort even in a cookie. For example two cookies set by .djangosnippets.org 
    158198127.1219883726.2.2.utmccn=(referral)|utmcsr= planet.intertwingly.net|utmcct=/|utmcmd=referral
    and 
    158198127.1504419398.1219246742.1219246742.1219883 726.2
    Both of those could clearly be compressed... but really, why bother?

    Gavin - 28th August 2008 01:46 - #

  4. Julian: nope, it's base65, and it's something I made up (though I'm sure it's been made up by lots of other people before). It uses all 65 characters that don't need to be encoded to pass in a URL - that's a-z, A-Z, 0-9 and the underscore, hyphen and full-stop.

    Simon Willison - 28th August 2008 09:12 - #

  5. If you just need some low-security obfuscation to prevent guessability, you could even XOR some of the bytes of your checksum together to shorten it first.

    Obviously not recommended for real security needs, though.

    dmc - 28th August 2008 09:49 - #

  6. Perhaps you are interested in a reverse SHA-1 search? http://www.sha1-lookup.com

    Jens Hafelmeier - 30th August 2008 11:13 - #

Comments are closed.
A django site