At 05:39 PM 10/11/2001 -0400, Geoff Talvola wrote: >Sure. Just make a longer random number to use as the random part of the >session ID. > >Actually, a bigger flaw may be in relying on Python's pseudo-random number >generator. Suppose you send a quick flurry of ten requests to WebKit, >therefore generating 10 random session IDs in sequence. You might be able >to use those 10 numbers to predict what the next number will be. After >all, it's just a pseudo-random number generator. So you may be able to >make a very educated guess what the next session ID is going to be. > >This is why concatenating in a blob of truly random data and sha'ing or >md5'ing it would be better. That would be next to impossible for anyone >to guess.
Okay, I'm convinced. I'm also going to be quiet the rest of the day... need to get some other things done... -Chuck _______________________________________________ Webware-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/webware-devel
