Re: Safe session IDs

From: Adam Osuchowski (adwol@polsl.gliwice.pl)
Date: 01/11/02


Date: Fri, 11 Jan 2002 00:19:45 +0100
From: Adam Osuchowski <adwol@polsl.gliwice.pl>
To: secprog@securityfocus.com

Ryan M Harris wrote:
> What is the most secure way of generating a session number?
>
> I have used the following formula in the past. Is it secure (from a
> randomness perspective)? Any way to make it more secure/random?
>
> sessionid = md5( <REMOTE_IP> + REMOTE_USER_AGENT> + rand() (5 bytes from
> here) + microtime() )

Aside from it I often add extra time(). microtime() is too periodic, and time
still increase. ;))

-- 
##  Adam Osuchowski   adwol@polsl.gliwice.pl, adwol@silesia.linux.org.pl
##  Silesian University of Technology, Computer Centre   Gliwice, Poland



Relevant Pages

  • Re: Safe session IDs
    ... > What is the most secure way of generating a session number? ... It may be secure enough, depending upon the resolution of microtime(), ... and what exactly the session ID is protecting. ... by using a RNG, or at least a better PRNG than rand. ...
    (SecProg)
  • Re: Safe session IDs
    ... On Thu, Jan 10, Ryan M Harris wrote: ... > What is the most secure way of generating a session number? ...
    (SecProg)
  • Re: Reality Check: Session Hijacking
    ... I'm not putting hidden fields in http ... The user is always challenged when he starts to use a secure app, ... STARTS to use the secure app. ... And NOT from the session. ...
    (comp.lang.php)
  • Secure website (cookie/session)
    ... Secure a part of my website. ... access to server settings (session timeout, security,...). ... do not lose time re-submitting it because the use was redirect to the ...
    (microsoft.public.inetserver.iis.security)
  • Secure website (cookie/session)
    ... Secure a part of my website. ... access to server settings (session timeout, security,...). ... do not lose time re-submitting it because the use was redirect to the ...
    (microsoft.public.inetserver.iis.security)