Re: [cgiapp] CGI::Session::ID::md5->generate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision

Subject: Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision
Date: Tue, 07 Mar 2006 21:07:15 +0300
From: Strong <suppressed>

On Tue, 10 Jan 2006 13:51:29 -0500 Perrin Harkins <suppressed>
wrote:
> > The only other easy option appears to be using
> > CGI::Session::ID::incr.
> 
> There is also APR::UUID for mod_perl users, a database sequence, or
> another UUID module.
> 
> > And unless you protect the cookie somehow, users can steal each
> > others' sessions which somewhat defeats the purpose of using
> > FormState to protect hidden fields in the first place.
> 
> Yes, you definitely want to use a HMAC if you have guessable IDs.  The
> ones generated by mod_unique_id are guessable.

I can't understand why You do not simply use a huge random ids?

-- 
Best regards,
Strong.

---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

Follow-Ups:
- Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision
  - From: Michael Peters
- Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision
  - From: Perrin Harkins

Prev by Date: [cgiapp] Re: Run modes and Ajax.pm
Next by Date: Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision
Previous by thread: [cgiapp] Run modes and Ajax.pm
Next by thread: Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.