* Ian Bicking <[EMAIL PROTECTED]> [011011 22:23]: > Geoff Talvola <[EMAIL PROTECTED]> wrote: > > That reminds me of something I meant to bring up a while ago. Session IDs > > are currently not very random. Only the last 5 digits are actually random > > -- the rest of it is just the current time expressed as a string. > > > > This could be a security hole in that it makes it not too hard to guess the > > session ID and take over a session. > > Well, if you also used IP number in the session, you'd make it much > more secure. Potentially a malicious snoop could intercept the HTTP > requests and get the cookie, no matter how random. But it's > considerably more difficult to get the cookie and impersonate or > intercept the IP address. > > Simply guessing the session ID wouldn't provide anything, either, > since again it's quite hard to fake an IP address effectively.
If someone can sniff out your session, he can easily fake the TCP/IP connection with ease. I wrote something about trying to secure HTTP sessions, it all boils down to the fact that if the attacker can sniff your connection, the only chance is SSL, anything else can be overcome. If the attacher cannot sniff your connection than making sure the SessionID is hard to guess will suffice, just MD5/SHA1 a large enough blob of random data and you should be fine. Note, I'm not a security expert or anything, just someone with enough interest in the topics of Cryptography and Computer Security. The said article can be found at http://baruch.ev-en.org/writings/WebAuthentication.html It includes a buildup of the ideas and is hopefully in a clear enough language. -- Baruch Even http://baruch.ev-en.org/ _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
