I'm wondering whether generation of SSL session ID has to be based on random numbers. In my system, it would be more comfortable for me to generate a sequentially incrementing 64-bit or 128-bit session ID, with some constant padding. Does this violate the security of SSL in any way?
Definitely. If someone can steal your session, they can steal authentication.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
