Geoff Talvola <[EMAIL PROTECTED]> wrote: > That reminds me of something I meant to bring up a while ago. Session IDs > are currently not very random. Only the last 5 digits are actually random > -- the rest of it is just the current time expressed as a string. > > This could be a security hole in that it makes it not too hard to guess the > session ID and take over a session.
Well, if you also used IP number in the session, you'd make it much more secure. Potentially a malicious snoop could intercept the HTTP requests and get the cookie, no matter how random. But it's considerably more difficult to get the cookie and impersonate or intercept the IP address. Simply guessing the session ID wouldn't provide anything, either, since again it's quite hard to fake an IP address effectively. The only disadvantage is for people on dialup, if they redial they will probably get a new IP address and will have to start a new session, even if they never closed their browser. A more complete solution might be, in secure situations, to have some way of intercepting a good session with a bad IP, and require relogin to restore their old session. Or, right now, you store their IP number in their session, and give a warning if it changes. Then if there's an imposter online at the same time as the real user, the real user will keep getting warning messages and hopefully realize something's wrong. Actually, now that I think of it, all of this is easily doable without changing Session itself, but just how you use it. Ian _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
