Re: Safe session IDs

From: Jarno Huuskonen (
Date: 01/11/02

Date: Fri, 11 Jan 2002 08:02:00 +0200
From: Jarno Huuskonen <>

On Thu, Jan 10, Ryan M Harris wrote:
> What is the most secure way of generating a session number?
> I have used the following formula in the past. Is it secure (from a
> randomness perspective)? Any way to make it more secure/random?

I would recommend reading the cookie eaters publications:

> sessionid = md5( <REMOTE_IP> + REMOTE_USER_AGENT> + rand() (5 bytes from
> here) + microtime() )

How do you seed the prng (srand) ? According to man 3 rand on my linux
box if you don't seed it it'll use 1 as seed all the time, so it's
possible that rand() gives you the same sequence all the time.


Jarno Huuskonen <>