Seeding is done by each connection. Time in microseconds since midnight till when they connect. Ryan ----- Original Message ----- From: "Jarno Huuskonen" <Jarno.Huuskonenat_private> To: <secprogat_private> Sent: Friday, January 11, 2002 1:02 AM Subject: Re: Safe session IDs > On Thu, Jan 10, Ryan M Harris wrote: > > What is the most secure way of generating a session number? > > > > I have used the following formula in the past. Is it secure (from a > > randomness perspective)? Any way to make it more secure/random? > > I would recommend reading the cookie eaters publications: > http://cookies.lcs.mit.edu/pubs.html > > > sessionid = md5( <REMOTE_IP> + REMOTE_USER_AGENT> + rand() (5 bytes from > > here) + microtime() ) > > How do you seed the prng (srand) ? According to man 3 rand on my linux > box if you don't seed it it'll use 1 as seed all the time, so it's > possible that rand() gives you the same sequence all the time. > > -Jarno > > -- > Jarno Huuskonen <Jarno.Huuskonenat_private> >
This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 14:41:21 PST