Re: Safe session IDs
From: Glynn Clements (glynn.clements@virgin.net)Date: 01/11/02
- Previous message: Josh Daymont: "URL for Yarrow PRNG"
- In reply to: Ryan M Harris: "Safe session IDs"
- Next in thread: Ryan M Harris: "Re: Safe session IDs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Glynn Clements <glynn.clements@virgin.net> Date: Fri, 11 Jan 2002 02:34:30 +0000 To: "Ryan M Harris" <rmharris@acdinc.net>
Ryan M Harris wrote:
> What is the most secure way of generating a session number?
With a decent (hardware) RNG.
> I have used the following formula in the past.
> sessionid = md5( <REMOTE_IP> + REMOTE_USER_AGENT> + rand() (5 bytes from
> here) + microtime() )
> Is it secure (from a randomness perspective)?
It may be secure enough, depending upon the resolution of microtime(),
and what exactly the session ID is protecting.
> Any way to make it more secure/random?
Yes; by using a RNG, or at least a better PRNG than rand(). EGD[1] is
an option, if you have an adequate source of entropy with which to
feed it.
[1] http://egd.sourceforge.net/
-- Glynn Clements <glynn.clements@virgin.net>
- Previous message: Josh Daymont: "URL for Yarrow PRNG"
- In reply to: Ryan M Harris: "Safe session IDs"
- Next in thread: Ryan M Harris: "Re: Safe session IDs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
