Ryan M Harris wrote: > What is the most secure way of generating a session number? With a decent (hardware) RNG. > I have used the following formula in the past. > sessionid = md5( <REMOTE_IP> + REMOTE_USER_AGENT> + rand() (5 bytes from > here) + microtime() ) > Is it secure (from a randomness perspective)? It may be secure enough, depending upon the resolution of microtime(), and what exactly the session ID is protecting. > Any way to make it more secure/random? Yes; by using a RNG, or at least a better PRNG than rand(). EGD[1] is an option, if you have an adequate source of entropy with which to feed it. [1] http://egd.sourceforge.net/ -- Glynn Clements <glynn.clementsat_private>
This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 13:03:58 PST