At 01:48 PM 10/11/01 -0700, you wrote:
>At 04:38 PM 10/11/2001 -0400, Geoff Talvola wrote:
>>I could write a program that keeps on trying random session IDs with the
>>date/time part of the session ID set to a couple of minutes ago, so the
>>session is likely to still be around. It might take hundreds of
>>thousands of tries but it would eventually find a valid session ID,
>>especially on a site that gets a lot of traffic and therefore has a lot
>>of new sessions getting created all the time.
>Then would it be correct for me to say that the response is to increase
>the number of tries to something ridiculously high until it become
>prohibitive to use that approach?
Sure. Just make a longer random number to use as the random part of the
Actually, a bigger flaw may be in relying on Python's pseudo-random number
generator. Suppose you send a quick flurry of ten requests to WebKit,
therefore generating 10 random session IDs in sequence. You might be able
to use those 10 numbers to predict what the next number will be. After
all, it's just a pseudo-random number generator. So you may be able to
make a very educated guess what the next session ID is going to be.
This is why concatenating in a blob of truly random data and sha'ing or
md5'ing it would be better. That would be next to impossible for anyone to
- Geoff Talvola