At 01:29 PM 10/11/01 -0700, Chuck Esterbrook wrote: >Okay, so I'm curious how you would actually guess a session on my server? >You need to get a number between 0 and 99999 AND you need to know the >exact date, including second, that the session was created. > >You say that "only the last 5 digits are actually random" but that doesn't >mean the other 14 digits are negligible. They're not. I'll go ahead and >give you the year, month and day, but where are you going to come up with >the correct hour, minute, second AND a 5 digit random number?
I could write a program that keeps on trying random session IDs with the date/time part of the session ID set to a couple of minutes ago, so the session is likely to still be around. It might take hundreds of thousands of tries but it would eventually find a valid session ID, especially on a site that gets a lot of traffic and therefore has a lot of new sessions getting created all the time. I'll admit that this is near the bottom on the list of things to worry about. But if your site contains sensitive information that someone might go to the effort of breaking into, it would make sense to think about it. Especially if you're already securing the site with SSL, then the session ID would become the weak link in your security. A much more likely annoyance is that someone could just flood the server with requests, making the site grind to a halt. -- - Geoff Talvola [EMAIL PROTECTED] _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
