From: Robert U. <ead...@gm...> - 2009-07-10 17:08:00
|
"Leslie P. Polzer" <sk...@vi...> writes: > >> Then again, not being a web programmer I'm not quite certain what >> properties one wants in a sessionid. (Eg. why timestamp + uniquefying >> counter is worse than a random sessionid?) > > It's a security issue. Guessable session ids let an attacker take over > the user's session, thereby assuming their identity. Note that Hunchentoot's session handling already implements session ID encryption; it even uses a random session secret each time the Lisp process is restarted. If for some reason you don't trust Hunchentoot's session key encryption, you could roll your own using Ironclad. I'm reading session.lisp right now and it looks like the HTML docs are inaccurate: creating your own session type requires creating a new REQUEST subclass and overriding SESSION-VERIFY. Maybe someday in my Copious Free Time I can submit some patches to make it easier to create one's own SESSION subclasses. -- The CS curriculum really is critical. Learning it would save you from inventing PHP, which would be a huge benefit to mankind. --David Chapman |