Ooh, and here's a good question. Once I get it to the client, how can I make sure that it wasn't hijacked via man-in-the-middle or a sniffer on the client end? I used to use REMOTE_IP and REMOTE_USERAGENT stored on server end and compare to the value sent from the user. But I need a way to ensure that the cookie wasn't grabbed on the way etc. now... Ryan ----- Original Message ----- From: "Ryan M Harris" <rmharrisat_private> To: "Josh Daymont" <joshdat_private>; "Hector Herrera" <hectorhat_private>; "Giorgio Zoppi" <denebat_private>; <secprogat_private> Sent: Friday, January 11, 2002 11:45 AM Subject: Re: Safe session IDs > First of all thank you all for the help. I sent a reply directly only to > people who had mentioned something that I can't use, and gave a reason. > > I see I have to make myself a little more clear. Unfortunately because of > specification restraints I must rely on generating a unique, unpredictable > number on ANY operating system and I cannot expect the user to install 3rd > party randomizers hardware or software (such as Yarrow, though it looks > good). > > 1) It must be written in PHP but because of the features I need I can't use > its built in session handler. > 2) I cannot rely on /dev/urandom because windows does not support that. > 3) Microtime() returns time() + microseconds since last second > 4) The MD5 is for mangling of the data just so it is harder to guess also > serves as a convenient way of ensureing safe passing via browser. > > Based on these constraints, is there a good way of doing this? I could use > a built in PHP function called UniqID, but it seems to only be md5(rand()) > > > Ryan > >
This archive was generated by hypermail 2b30 : Fri Jan 11 2002 - 15:13:30 PST