On Tue, 16 Nov 2004, Stefan Cars wrote:
> Ed Grimm wrote:
>> On Mon, 15 Nov 2004, Pierre Etchemaite wrote:
>>>Le lun 15 nov 2004 18:24:06 CET, Ed Grimm <[EMAIL PROTECTED]>
>>>a écrit :
>>>
>>>>>Apache::Session generates the id by doing a md5 hash on a random
>>>>>number (time () . {} . Rand() . $$) , maybe there are situation
>>>>>where it generates the same id (also this should normaly not
>>>>>happen).
>>>>
>>>>MD5 hash collisions very well could have that frequency, at that volume.
>>>>
>>>>How hard would it be to change the code to use a SHA or SSHA hash
>>>>instead? (Admittedly, I'm picking a more cryptographically secure hash
>>>>at psuedo-random; there may be one that's more appropriate.)
>>>
>>>Collisions with a 128 bits digest are *very* unlikely. It's more likely the
>>>original pseudo random number that provides less than 128 bits of entropy.
<snip>
> One of the things that is strange though (or maybe not? ) is that when
> we get reports of this, it looks like they always logged in almost at
> the same time (within 30 min from each other). Does that say anything to
> you ?
Given that you think 30 minutes is "close", that tells me that you're
not having a collision on the original pseudo random number - for that
to hit, you'd need them to be happening on the same second, and serviced
by the same apache child process.
It also suggests to me that either your sessions do not tend to last
much longer than 30 minutes, or that the special situation that triggers
the MD5 entropy loss is time-localized (this is not, actually,
surprising.) I'd personally suspect the latter, rather than the former.
Ed
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
