I know, i asked just in case:-)) But if you combine seqid with currenttime in milliseconds for example and produce md5 hash including IP address, it will be much more difficult to hijack just base don sequential number
Ian Harding wrote: > Vlad Seryakov wrote: >> Why not to use nsv_incr to generate sequential session id? >> >> Or sequential ids is a bad idea? >> >> > It makes it super easy to hijack sessions. They are supposed to be > difficult to brute force. >> Ian Harding wrote: >> >>> Stephen Deasey wrote: >>> >>>> On Sun, Feb 15, 2009 at 6:55 PM, Ian Harding <harding....@gmail.com> wrote: >>>> >>>> >>>>> Hello, >>>>> >>>>> I am migrating to Naviserver from AOLServer mostly because of the >>>>> excellent nsdbi module. >>>>> >>>>> My existing code is depended on the nssession module >>>>> http://bas.scheffers.net/aolserver/ . It doesn't compile and run >>>>> unmodified under Naviserver, but before I start hacking on it, is >>>>> there an existing session module or a tcl solution that someone else >>>>> has already written? >>>>> >>>>> >>>>> >>>> I'm not sure that it's worth porting that module. The cache locking is >>>> broken, the file handling looks dodgy, and in general it has some odd >>>> ideas about configuration and string handling. >>>> >>>> If all you need to do is replicate some ns_session Tcl commands so >>>> your existing code works then the easiest way would be to create a >>>> work-alike using the existing naviserver Tcl commands: >>>> >>>> * cookie handling: naviserver has this built in: >>>> http://naviserver.sourceforge.net/n/naviserver/files/ns_cookie.html >>>> >>>> * caching: also now built in: >>>> http://naviserver.sourceforge.net/n/naviserver/files/ns_cache.html >>>> >>>> * persisting the session: just use nsdbi, if you're already using >>>> it. If you really want >>>> to use the file system, use ns_hashpath in nsd/pathname.c to >>>> prevent enormous >>>> directories from bogging down the server. >>>> >>>> * ns_rand: already exposed. >>>> >>>> >>>> It will be more robust than than the C nssession module, and almost >>>> certainly faster too. >>>> >>>> >>>> If you want to create something fancier as a C module, I'd be >>>> interested in helping. >>>> >>>> >>> Here is my lame hack at a tcl module. It has some problems and is not >>> done, but it does seem to work for certain small values of "work". >>> >>> http://code.google.com/p/grop/source/browse/trunk/nssession.tcl >>> >>> I want to "hide" the internal methods (id, load, etc) in a separate >>> namespace, and will use a proper session id generator. I'd like to get >>> rid of the upvar session_id. I wanted to use the connid as a key in a >>> cache to lookup the session_id for those cases where there is not a >>> cookie set yet. I couldn't figure out how to get it. I was hoping >>> there was a "ns_conn id" I could use. >>> >>> Anyway, I would appreciate all input on things I am doing wrong or could >>> do better. >>> >>> - Ian >>> >>> ------------------------------------------------------------------------------ >>> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA >>> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise >>> -Strategies to boost innovation and cut costs with open source participation >>> -Receive a $600 discount off the registration fee with the source code: SFAD >>> http://p.sf.net/sfu/XcvMzF8H >>> _______________________________________________ >>> naviserver-devel mailing list >>> naviserver-devel@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/naviserver-devel >>> >>> >> ------------------------------------------------------------------------------ >> Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA >> -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise >> -Strategies to boost innovation and cut costs with open source participation >> -Receive a $600 discount off the registration fee with the source code: SFAD >> http://p.sf.net/sfu/XcvMzF8H >> _______________________________________________ >> naviserver-devel mailing list >> naviserver-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/naviserver-devel >> > > > ------------------------------------------------------------------------------ > Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA > -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise > -Strategies to boost innovation and cut costs with open source participation > -Receive a $600 discount off the registration fee with the source code: SFAD > http://p.sf.net/sfu/XcvMzF8H > _______________________________________________ > naviserver-devel mailing list > naviserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/naviserver-devel > ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ naviserver-devel mailing list naviserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/naviserver-devel
