Re: Safe session IDs

From: Jarno Huuskonen (Jarno.Huuskonen@uku.fi)
Date: 01/11/02


Date: Fri, 11 Jan 2002 08:02:00 +0200
From: Jarno Huuskonen <Jarno.Huuskonen@uku.fi>
To: secprog@securityfocus.com

On Thu, Jan 10, Ryan M Harris wrote:
> What is the most secure way of generating a session number?
>
> I have used the following formula in the past. Is it secure (from a
> randomness perspective)? Any way to make it more secure/random?

I would recommend reading the cookie eaters publications:
http://cookies.lcs.mit.edu/pubs.html

> sessionid = md5( <REMOTE_IP> + REMOTE_USER_AGENT> + rand() (5 bytes from
> here) + microtime() )

How do you seed the prng (srand) ? According to man 3 rand on my linux
box if you don't seed it it'll use 1 as seed all the time, so it's
possible that rand() gives you the same sequence all the time.

-Jarno

-- 
Jarno Huuskonen <Jarno.Huuskonen@uku.fi>



Relevant Pages

  • Re: Reality Check: Session Hijacking
    ... I'm not putting hidden fields in http ... The user is always challenged when he starts to use a secure app, ... STARTS to use the secure app. ... And NOT from the session. ...
    (comp.lang.php)
  • Secure website (cookie/session)
    ... Secure a part of my website. ... access to server settings (session timeout, security,...). ... do not lose time re-submitting it because the use was redirect to the ...
    (microsoft.public.inetserver.iis.security)
  • Secure website (cookie/session)
    ... Secure a part of my website. ... access to server settings (session timeout, security,...). ... do not lose time re-submitting it because the use was redirect to the ...
    (microsoft.public.inetserver.iis.security)
  • Researcher demonstrates SSL attack
    ... Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. ... The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions. ... Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. ...
    (alt.privacy)
  • Secure ASP.Net Sessions
    ... The current implementation has used 2 ASP.Net applications one secure and ... one insecure, to avoid the insecure session ID being hijacked ... In an ideal world I want the application to also handle the cookie less ... There should be 2 session IDs, one for insecure sessions and one for secure ...
    (microsoft.public.dotnet.framework.aspnet.security)