At 03:29 PM 10/11/2001 -0400, Geoff Talvola wrote: >That reminds me of something I meant to bring up a while ago. Session IDs >are currently not very random. Only the last 5 digits are actually random >-- the rest of it is just the current time expressed as a string. > >This could be a security hole in that it makes it not too hard to guess >the session ID and take over a session. > >Any ideas how this could be made more random? One idea is to construct >the session ID by taking the existing session ID, concatenating it with a >big blob of random characters perhaps generated at Webware install time, >and run it through md5 or sha and spit out the hexdigest. This will end >up with a string that should be unguessable unless the guesser has access >to the original blob of random characters.
First, let me say that I get burned using UNIX and Windows, because in many UNIX programs Ctrl-e goes to the end of the line and in Eudora for Windows it sends the current e-mail. That explains my last message. (And then there's Ctrl-Z vs. Ctrl-D combined with the fact that Python will specialize words like "exit" and "quit" but only to tell you that they don't work.) Okay, so I'm curious how you would actually guess a session on my server? You need to get a number between 0 and 99999 AND you need to know the exact date, including second, that the session was created. You say that "only the last 5 digits are actually random" but that doesn't mean the other 14 digits are negligible. They're not. I'll go ahead and give you the year, month and day, but where are you going to come up with the correct hour, minute, second AND a 5 digit random number? -Chuck _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
