At 12:14 PM 10/11/01 -0700, Chuck Esterbrook wrote: >The idea behind externalId is that you could safely use it externally to >refer to a user. Safely means that 1. it would be hard for someone to >guess (and therefore impersonate another user) and 2. would not reveal >private information about the user. This basically means an opaque, >lengthy randomized id. I believe UserKit already provides that. > >And here's an example application of it: If the user chooses a "[ ] >Remember me" checkbox when signing in, you would store their externalId in >an indefinite cookie. Using their employee id for this would be bad for >several reasons. 1. If I get access to someone's machine I can discern >their employee id by looking at their cookies. 2. If I already know their >id, I can impersonate them by editing my cookies file. 3. If ids are >easily guessed (perhaps they are consecutive) I can easily impersonate >random employees.
That reminds me of something I meant to bring up a while ago. Session IDs are currently not very random. Only the last 5 digits are actually random -- the rest of it is just the current time expressed as a string. This could be a security hole in that it makes it not too hard to guess the session ID and take over a session. Any ideas how this could be made more random? One idea is to construct the session ID by taking the existing session ID, concatenating it with a big blob of random characters perhaps generated at Webware install time, and run it through md5 or sha and spit out the hexdigest. This will end up with a string that should be unguessable unless the guesser has access to the original blob of random characters. -- - Geoff Talvola [EMAIL PROTECTED] _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
