Speaking of sessionID generation... My research group recently published a document on good design practices and reverse engineering of Web client authentication schemes (e.g., authenticators in URLs and cookies). If you have stories about problems in Web client authentication, we'd love to document them. The technical report is on: http://cookies.lcs.mit.edu/ A shorter version of the document will be presented at the USENIX Security Symposium in August. The document includes a story about session IDs and linear congruential number generators... -Kevin >I just had a quick peek so the following 'information' is based on first >impressions and is probably full of errors. I hope this could stir up >some discussion about session id generation / using timeofday as random >seed/value etc. (or could somebody point me to some references). -------- Kevin E. Fu (fubobat_private) PGP key: https://snafu.fooworld.org/~fubob/pgp.html
This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 23:22:13 PDT