Re: Safe session IDs

From: Jedi/Sector One (jat_private)
Date: Mon Jan 14 2002 - 12:23:08 PST

Next message: Ben Laurie: "Re: URL for Yarrow PRNG"

Previous message: infosat_private: "Network library lcrzo 4.03"
In reply to: Thomas Jespersen: "Re: Safe session IDs"
Next in thread: Josh Daymont: "URL for Yarrow PRNG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Jan 13, 2002 at 12:17:16AM +0100, Thomas Jespersen wrote:
> Is it supposed to run on an Apache server? The reason I ask is because
> Apache provides a Unique-ID API if you install the correct module:

  This is a very bad idea. Apache's unique-ids are nice, but totally
insecure. It's just based on pid, server address, a timestamp (one second
precision only) and an incremental counter.

  Best regards,

          -Frank.

-- 
               Frank DENIS (Jedi/Sector One) <jat_private>
HotLinker - http://www.HotLinker.Net -*- Pure-FTPd - http://www.PureFTPd.Org

Next message: Ben Laurie: "Re: URL for Yarrow PRNG"
Previous message: infosat_private: "Network library lcrzo 4.03"
In reply to: Thomas Jespersen: "Re: Safe session IDs"
Next in thread: Josh Daymont: "URL for Yarrow PRNG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 14:45:50 PST