Just turning the random number into a session id should sufficient and
we can forget the MD5 altogether. But if someone figures out the seed
and can guess future subsequent numbers, then they can guess future
session ids.
By using a hashing algorithm - it makes it impossible to guess what
numbers came from the random number generator.
If MD5 is so broken that a person can piece together a long enough
sequence of numbers to figure out the seed - and guess future session
ids - then we need to replace it.
But MD5 is not that broken.
-Tim
Minoo Hamilton wrote:
I'd like to re-raise an issue, since I didn't get too much of a
response, originally. Who can I talk to to lobby to get the default
behavior of using MD5 session token hashes to change? If you weren't
aware of it, there has been a recent and highly-publicized breaking of
SSL, by creating a rogue certificate authority, using collisions in
MD5. Creating collisions in MD5 are no longer a "highly theoretical"
attack for potential session hijacking. I'd very much like to see the
default behavior of Tomcat session tokens become more secure by default
(possibly SHA-256). I think the default hashing algorithm should not be
a known broken and insecure one.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
