Re: Safe session IDs

From: Glynn Clements (glynn.clements@virgin.net)
Date: 01/11/02


From: Glynn Clements <glynn.clements@virgin.net>
Date: Fri, 11 Jan 2002 02:34:30 +0000
To: "Ryan M Harris" <rmharris@acdinc.net>


Ryan M Harris wrote:

> What is the most secure way of generating a session number?

With a decent (hardware) RNG.

> I have used the following formula in the past.

> sessionid = md5( <REMOTE_IP> + REMOTE_USER_AGENT> + rand() (5 bytes from
> here) + microtime() )

> Is it secure (from a randomness perspective)?

It may be secure enough, depending upon the resolution of microtime(),
and what exactly the session ID is protecting.

> Any way to make it more secure/random?

Yes; by using a RNG, or at least a better PRNG than rand(). EGD[1] is
an option, if you have an adequate source of entropy with which to
feed it.

[1] http://egd.sourceforge.net/

-- 
Glynn Clements <glynn.clements@virgin.net>



Relevant Pages

  • Re: Safe session IDs
    ... Ryan M Harris wrote: ... > What is the most secure way of generating a session number? ... microtime() is too periodic, and time ...
    (SecProg)
  • Re: Reality Check: Session Hijacking
    ... I'm not putting hidden fields in http ... The user is always challenged when he starts to use a secure app, ... STARTS to use the secure app. ... And NOT from the session. ...
    (comp.lang.php)
  • Secure website (cookie/session)
    ... Secure a part of my website. ... access to server settings (session timeout, security,...). ... do not lose time re-submitting it because the use was redirect to the ...
    (microsoft.public.inetserver.iis.security)
  • Secure website (cookie/session)
    ... Secure a part of my website. ... access to server settings (session timeout, security,...). ... do not lose time re-submitting it because the use was redirect to the ...
    (microsoft.public.inetserver.iis.security)
  • Researcher demonstrates SSL attack
    ... Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. ... The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions. ... Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. ...
    (alt.privacy)