Re: [cgiapp] CGI::Session::ID::md5->generate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision

Subject: Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision
Date: Wed, 08 Mar 2006 13:30:20 -0500
From: Perrin Harkins <suppressed>

On Wed, 2006-03-08 at 17:13 +0300, Strong wrote:
> > > I can't understand why You do not simply use a huge random ids?
> > Because "random" ne "unique", and if you get one that isn't unique,
> > you will have problems.  Random also doesn't mean someone can't get
> > lucky and hit one if they write a script to try IDs all day.
> Thanks for explanation! I got it. But we can check it for existance at
> least blocking that say map-file for writing for a moment...

Yes, you could do that, assuming you are already using some kind of
shared storage with efficient locking.  That won't prevent an attacker
from guessing a valid session ID though.  It can be very unlikely, but
it will still be possible.

- Perrin


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

References:
- Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision
  - From: Strong
- Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision
  - From: Perrin Harkins
- Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision
  - From: Strong

Prev by Date: Re: [cgiapp] Re: Run modes and Ajax.pm
Next by Date: Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision
Previous by thread: Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision
Next by thread: Re: [cgiapp] CGI::Session::ID::md5->generate_id & data collision
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.