At 03:29 PM 10/11/2001 -0400, Geoff Talvola wrote:
>That reminds me of something I meant to bring up a while ago. Session IDs
>are currently not very random. Only the last 5 digits are actually random
>-- the rest of it is just the current time expressed as a string.
>This could be a security hole in that it makes it not too hard to guess
>the session ID and take over a session.
>Any ideas how this could be made more random? One idea is to construct
>the session ID by taking the existing session ID, concatenating it with a
>big blob of random characters perhaps generated at Webware install time,
>and run it through md5 or sha and spit out the hexdigest. This will end
>up with a string that should be unguessable unless the guesser has access
>to the original blob of random characters.
First, let me say that I get burned using UNIX and Windows, because in many
UNIX programs Ctrl-e goes to the end of the line and in Eudora for Windows
it sends the current e-mail.
That explains my last message.
(And then there's Ctrl-Z vs. Ctrl-D combined with the fact that Python will
specialize words like "exit" and "quit" but only to tell you that they
Okay, so I'm curious how you would actually guess a session on my server?
You need to get a number between 0 and 99999 AND you need to know the exact
date, including second, that the session was created.
You say that "only the last 5 digits are actually random" but that doesn't
mean the other 14 digits are negligible. They're not. I'll go ahead and
give you the year, month and day, but where are you going to come up with
the correct hour, minute, second AND a 5 digit random number?