On Tue, 2006-03-07 at 21:07 +0300, Strong wrote:
> On Tue, 10 Jan 2006 13:51:29 -0500 Perrin Harkins <suppressed>
> wrote:
> > > The only other easy option appears to be using
> > > CGI::Session::ID::incr.
> >
> > There is also APR::UUID for mod_perl users, a database sequence, or
> > another UUID module.
> >
> > > And unless you protect the cookie somehow, users can steal each
> > > others' sessions which somewhat defeats the purpose of using
> > > FormState to protect hidden fields in the first place.
> >
> > Yes, you definitely want to use a HMAC if you have guessable IDs. The
> > ones generated by mod_unique_id are guessable.
>
> I can't understand why You do not simply use a huge random ids?
Because "random" ne "unique", and if you get one that isn't unique, you
will have problems. Random also doesn't mean someone can't get lucky
and hit one if they write a script to try IDs all day.
- Perrin
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.