Re: Safe session IDs

From: Glynn Clements (glynn.clementsat_private)
Date: Fri Jan 11 2002 - 16:23:54 PST

Next message: Gene Gotimer: "Re: Safe session IDs"

Previous message: Kurt Seifried: "Re: Safe session IDs (How about Hijacking)"
In reply to: Glynn Clements: "Re: Safe session IDs"
Next in thread: Ryan M Harris: "Re: Safe session IDs (How about Hijacking)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I wrote:

> As Christian also points out, if you don't have something which is
> *guaranteed* to differ for each invocation (e.g. a pid),

Of course, after I sent this, it occurred to me that a pid won't
suffice, because:

a) the httpd may well handle multiple connections using the same
process, and

b) the session ID is likely to outlive the process which created it,
and may still be in use when the pid wraps around.

Unless you absolutely cannot have a writable file, or are creating
many sessions per second, I'd maintain an invocation counter (PHP has
flock() and arbitrary precision arithmetic).

-- 
Glynn Clements <glynn.clementsat_private>

Next message: Gene Gotimer: "Re: Safe session IDs"
Previous message: Kurt Seifried: "Re: Safe session IDs (How about Hijacking)"
In reply to: Glynn Clements: "Re: Safe session IDs"
Next in thread: Ryan M Harris: "Re: Safe session IDs (How about Hijacking)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 12 2002 - 08:20:12 PST