On Fri, 10 Jan 2003, Jim Jagielski wrote:
> But it doesn't change the fact that randomness != uniqueness, which is
> what Glenn's point was I think.
Just as an example; doing on issue
syncronized count++;
id = count.ipaddr
add port if you must :-)
gives you a rather unique (but predictable) session id. The uniqueness of
the ipaddres obviously relies on the registry function of iana/ripe/et.al.
combined with your site/provider IP management.
or if it must be un-prediable do something like:
on init
seed = true-rand... or config-file-entry
on issue
id = md5( seed . count . ipaddr );
or if you do not trust md5's or find them too expensive
id = hash(seed.count.ipaddr).count.ipaddr
with hash = md4, md5, sha1, crypt, ..
as long as it is one way -and-
seed is truly random or manually choosen
to be proper.
OR if you want to check a session id prior to spending
(lookup) cycles on them to counter DoS0-s then do something like
id = hash(seed.count.hisip.ipaddr).count.ipaddr.hisip
and on accept do
hisip = from-accept-stack-info()
s,c,i1,i2 = splice(id)
i2 == hisip ?
i1 == myip ?
hash(seed.c.hisip.myip) == s ?
now do the expensive stuff
add a time-of-issue if needed if you are worried about that. Obviously now
the seed -must- be a config secret; as otherwise you cannot restart your
server without blowing all sessions out of the water.
Dw.
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
