Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Re: Re: Secure Session ID values

by hatter (Pilgrim)
on Nov 20, 2001 at 21:43 UTC ( #126560=note: print w/ replies, xml ) Need Help??


in reply to Re: Secure Session ID values
in thread Secure Session ID values

Certainly for unix-only apps this is a good choice for a session ID expect in really extenuating circumstances, but like others have suggested, you should combine it with a checksum. The uniqueness of time().$$ is good, but as with any user-supplied data (in this case, the users browser supplies it back to the server) you need to add something so that a malicious remote user can't fake the session of another user. A vaguely common (though not bulletproof) method would be to combine the two values with a 3rd secret value, in some mathematical way (eg ($$ * $secret) + $time) then take the modulus of that and another secret.

Something like $checksum = (($$ * $secret) + $time) % $someprime

When you need to access a users session, take their $$ and $time from the cookie, do the same maths on them, and verify that the calculated checksum is the same as the one in the users cookie.

the hatter


Comment on Re: Re: Secure Session ID values
Re: Re: Re: Secure Session ID values
by uwevoelker (Pilgrim) on Nov 20, 2001 at 22:55 UTC
    I also do this:
    I have a mysql-table with id (autoincrement), random, time, user and so on. When an user gets a new session I create a random number and the user gets the random number together with the id back. So if he alters the id or random, the session entry can not found in the database. The field time is for timeout and user stores the user id (or whatever you want).

    To delete outdated session I do: "DELETE FROM session WHERE time < $time" and $time is time()-$expire (expiration time in seconds).

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://126560]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (13)
As of 2014-12-19 13:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (83 votes), past polls