Menu
▾
▴
Re: [Sbcl-help] "true" randomness
|
From: Robert U. <ead...@gm...> - 2009-07-10 17:08:00
|
"Leslie P. Polzer" <sk...@vi...> writes:
>
>> Then again, not being a web programmer I'm not quite certain what
>> properties one wants in a sessionid. (Eg. why timestamp + uniquefying
>> counter is worse than a random sessionid?)
>
> It's a security issue. Guessable session ids let an attacker take over
> the user's session, thereby assuming their identity.
Note that Hunchentoot's session handling already implements session ID
encryption; it even uses a random session secret each time the Lisp
process is restarted.
If for some reason you don't trust Hunchentoot's session key encryption,
you could roll your own using Ironclad. I'm reading session.lisp right
now and it looks like the HTML docs are inaccurate: creating your own
session type requires creating a new REQUEST subclass and overriding
SESSION-VERIFY.
Maybe someday in my Copious Free Time I can submit some patches to make
it easier to create one's own SESSION subclasses.
--
The CS curriculum really is critical. Learning it would save you from
inventing PHP, which would be a huge benefit to mankind.
--David Chapman
|