Re: Safe session IDs

From: Jarno Huuskonen (Jarno.Huuskonenat_private)
Date: Thu Jan 10 2002 - 22:02:00 PST

Next message: Adam Osuchowski: "Re: Safe session IDs"

Previous message: Hector Herrera: "Re: Safe session IDs"
In reply to: Ryan M Harris: "Safe session IDs"
Next in thread: Ryan M Harris: "Re: Safe session IDs"
Next in thread: Adam Osuchowski: "Re: Safe session IDs"
Reply: Ryan M Harris: "Re: Safe session IDs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 10, Ryan M Harris wrote:
> What is the most secure way of generating a session number?
> 
> I have used the following formula in the past.  Is it secure (from a
> randomness perspective)?  Any way to make it more secure/random?

I would recommend reading the cookie eaters publications:
http://cookies.lcs.mit.edu/pubs.html

> sessionid = md5( <REMOTE_IP> + REMOTE_USER_AGENT> + rand() (5 bytes from
> here) + microtime() )

How do you seed the prng (srand) ? According to man 3 rand on my linux
box if you don't seed it it'll use 1 as seed all the time, so it's
possible that rand() gives you the same sequence all the time.

-Jarno

-- 
Jarno Huuskonen <Jarno.Huuskonenat_private>

Next message: Adam Osuchowski: "Re: Safe session IDs"
Previous message: Hector Herrera: "Re: Safe session IDs"
In reply to: Ryan M Harris: "Safe session IDs"
Next in thread: Ryan M Harris: "Re: Safe session IDs"
Next in thread: Adam Osuchowski: "Re: Safe session IDs"
Reply: Ryan M Harris: "Re: Safe session IDs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 12:45:01 PST