On Fri, 10 Jan 2003, Jim Jagielski wrote:
> But it doesn't change the fact that randomness != uniqueness, which is > what Glenn's point was I think. Just as an example; doing on issue syncronized count++; id = count.ipaddr add port if you must :-) gives you a rather unique (but predictable) session id. The uniqueness of the ipaddres obviously relies on the registry function of iana/ripe/et.al. combined with your site/provider IP management. or if it must be un-prediable do something like: on init seed = true-rand... or config-file-entry on issue id = md5( seed . count . ipaddr ); or if you do not trust md5's or find them too expensive id = hash(seed.count.ipaddr).count.ipaddr with hash = md4, md5, sha1, crypt, .. as long as it is one way -and- seed is truly random or manually choosen to be proper. OR if you want to check a session id prior to spending (lookup) cycles on them to counter DoS0-s then do something like id = hash(seed.count.hisip.ipaddr).count.ipaddr.hisip and on accept do hisip = from-accept-stack-info() s,c,i1,i2 = splice(id) i2 == hisip ? i1 == myip ? hash(seed.c.hisip.myip) == s ? now do the expensive stuff add a time-of-issue if needed if you are worried about that. Obviously now the seed -must- be a config secret; as otherwise you cannot restart your server without blowing all sessions out of the water. Dw. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>