Re: [Slashcode-development] sessions/generatesession

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

At 13:39 -0800 01.24.2001, Brian Aker wrote:
>Is there any reason why we are randomly generating a number
>still in sessions to use it as the session ID? It could
>easily be an autoincrement.

Since the session was being put into the cookie, and that was what
authenticated you, a sequence of any kind would be dangerous.  Guess the
right number and be authenticated as that admin.

>For that matter the cookie basically isn't really needed
>any longer for sessions. It could all be done in the
>database now that we don't use that cookie for any
>sort of authenication. This isn't a priority but
>it is a waste of code at the moment.

Yes, since we no longer put it in the cookie, there is no longer a need to
make it random, I believe.

-- 
Chris Nandor                      pu...@po...    http://pudge.net/
Open Source Development Network    pu...@os...     http://osdn.com/