Menu
▾
▴
Re: [Slashcode-development] sessions/generatesession
|
From: Nathan V. <na...@th...> - 2001-01-25 18:18:11
|
On Thu, 25 Jan 2001, Chris Nandor wrote: > At 13:39 -0800 01.24.2001, Brian Aker wrote: > >Is there any reason why we are randomly generating a number > >still in sessions to use it as the session ID? It could > >easily be an autoincrement. > > Since the session was being put into the cookie, and that was what > authenticated you, a sequence of any kind would be dangerous. Guess the > right number and be authenticated as that admin. Even a random number could be guessed by brute force, which is why most session management includes a checksum including the client ip and a secret value known only to the server. Chapter 5 in the O'Reilly mod_perl book (Stein and MacEachern) covers this in detail, especially p 213 and following. Have you considered using the Apache::Session module? It seems to be a good interface for generating unique session ids that are hard to spoof, though I haven't used it yet (I rolled my own on the one project I've used them for so far). -n ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Nathan Vonnahme na...@th... senior web developer third sector technologies http://enteuxis.org/nathan http://thethirdsector.com ~~~~~~~~~~~~~~~~ global = useless ~~~~~~~~~~~~~~~~~ |
