Re: Safe session IDs

From: Glynn Clements (glynn.clementsat_private)
Date: Thu Jan 10 2002 - 18:34:30 PST

Next message: Pavel Kankovsky: "Re: tmpfile alternative"

Previous message: Josh Daymont: "URL for Yarrow PRNG"
In reply to: Ryan M Harris: "Safe session IDs"
Next in thread: Ryan M Harris: "Re: Safe session IDs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ryan M Harris wrote:

> What is the most secure way of generating a session number?

With a decent (hardware) RNG.

> I have used the following formula in the past.

> sessionid = md5( <REMOTE_IP> + REMOTE_USER_AGENT> + rand() (5 bytes from
> here) + microtime() )

> Is it secure (from a randomness perspective)?

It may be secure enough, depending upon the resolution of microtime(),
and what exactly the session ID is protecting.

> Any way to make it more secure/random?

Yes; by using a RNG, or at least a better PRNG than rand(). EGD[1] is
an option, if you have an adequate source of entropy with which to
feed it.

[1] http://egd.sourceforge.net/

-- 
Glynn Clements <glynn.clementsat_private>

Next message: Pavel Kankovsky: "Re: tmpfile alternative"
Previous message: Josh Daymont: "URL for Yarrow PRNG"
In reply to: Ryan M Harris: "Safe session IDs"
Next in thread: Ryan M Harris: "Re: Safe session IDs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 13:03:58 PST