At 03:29 PM 10/11/2001 -0400, Geoff Talvola wrote: >At 12:14 PM 10/11/01 -0700, Chuck Esterbrook wrote: >>The idea behind externalId is that you could safely use it externally to >>refer to a user. Safely means that 1. it would be hard for someone to >>guess (and therefore impersonate another user) and 2. would not reveal >>private information about the user. This basically means an opaque, >>lengthy randomized id. I believe UserKit already provides that. >> >>And here's an example application of it: If the user chooses a "[ ] >>Remember me" checkbox when signing in, you would store their externalId >>in an indefinite cookie. Using their employee id for this would be bad >>for several reasons. 1. If I get access to someone's machine I can >>discern their employee id by looking at their cookies. 2. If I already >>know their id, I can impersonate them by editing my cookies file. 3. If >>ids are easily guessed (perhaps they are consecutive) I can easily >>impersonate random employees. > >That reminds me of something I meant to bring up a while ago. Session IDs >are currently not very random. Only the last 5 digits are actually random >-- the rest of it is just the current time expressed as a string. > >This could be a security hole in that it makes it not too hard to guess >the session ID and take over a session. > >Any ideas how this could be made more random? One idea is to construct >the session ID by taking the existing session ID, concatenating it with a >big blob of random characters perhaps generated at Webware install time, >and run it through md5 or sha and spit out the hexdigest. This will end >up with a string that should be unguessable unless the guesser has access >to the original blob of random characters. > > >-- > >- Geoff Talvola > [EMAIL PROTECTED] > >_______________________________________________ >Webware-devel mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/webware-devel
_______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
