Re: Safe session IDsFrom: Glynn Clements (firstname.lastname@example.org)
- Previous message: Josh Daymont: "URL for Yarrow PRNG"
- In reply to: Ryan M Harris: "Safe session IDs"
- Next in thread: Ryan M Harris: "Re: Safe session IDs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Glynn Clements <email@example.com> Date: Fri, 11 Jan 2002 02:34:30 +0000 To: "Ryan M Harris" <firstname.lastname@example.org>
Ryan M Harris wrote:
> What is the most secure way of generating a session number?
With a decent (hardware) RNG.
> I have used the following formula in the past.
> sessionid = md5( <REMOTE_IP> + REMOTE_USER_AGENT> + rand() (5 bytes from
> here) + microtime() )
> Is it secure (from a randomness perspective)?
It may be secure enough, depending upon the resolution of microtime(),
and what exactly the session ID is protecting.
> Any way to make it more secure/random?
Yes; by using a RNG, or at least a better PRNG than rand(). EGD is
an option, if you have an adequate source of entropy with which to
-- Glynn Clements <email@example.com>