On Mon, 15 Nov 2004, Gerald Richter wrote:
> Hi,
>
>> The problem is that this happens maybe once or twice a month (we have
>> about 10-15 thousands login per day). So it's really hard to
>> reproduce, and as far as I understand wouldn't the closure problem
>> create this problem more often ?)
>
> Yes, the closure problem should create the problem more often.
>
> If it happens so seldom, it really might be a problem of generating
> session ids.
>
> Apache::Session generates the id by doing a md5 hash on a random
> number (time () . {} . Rand() . $$) , maybe there are situation where
> it generates the same id (also this should normaly not happen).
MD5 hash collisions very well could have that frequency, at that volume.
How hard would it be to change the code to use a SHA or SSHA hash
instead? (Admittedly, I'm picking a more cryptographically secure hash
at psuedo-random; there may be one that's more appropriate.) Note that
I realize they take longer to generate, but that time only happens at
login, not per page view, and it should reduce the hash collision rate
dramatically.
Ed
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
