Re: [Slashcode-development] sessions/generatesession

[Chris N. <pu...@po...>]

At 09:12 -0900 01.25.2001, Nathan Vonnahme wrote:
>On Thu, 25 Jan 2001, Chris Nandor wrote:
>
>> At 13:39 -0800 01.24.2001, Brian Aker wrote:
>> >Is there any reason why we are randomly generating a number
>> >still in sessions to use it as the session ID? It could
>> >easily be an autoincrement.
>>
>> Since the session was being put into the cookie, and that was what
>> authenticated you, a sequence of any kind would be dangerous.  Guess the
>> right number and be authenticated as that admin.
>
>Even a random number could be guessed by brute force, which is why most
>session management includes a checksum including the client ip and a
>secret value known only to the server.  Chapter 5 in the O'Reilly mod_perl
>book (Stein and MacEachern) covers this in detail, especially p 213 and
>following.

Yes, it could be guessed, but that is almost impossible.  You'd have better
luck actually guessing the admin's password, because the password doesn't
change periodically, and the session cookie does.

>Have you considered using the Apache::Session module?  It seems to be a
>good interface for generating unique session ids that are hard to spoof,
>though I haven't used it yet (I rolled my own on the one project I've used
>them for so far).

Well, in our new system, session IDs are not used for security anymore,
they are only used for tracking the acivity of an author (how long they
have been logged on and what story they are working on and such), so I
don't think that's necessary.  The only way an author/admin is logged in,
anymore, is by his regular username and password, and the user cookie that
goes with it.

-- 
Chris Nandor                      pu...@po...    http://pudge.net/
Open Source Development Network    pu...@os...     http://osdn.com/