Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re^4: MD5-based Unique Session ID Generator

by pelagic (Priest)
on Aug 19, 2004 at 20:56 UTC ( [id://384451]=note: print w/replies, xml ) Need Help??


in reply to Re^3: MD5-based Unique Session ID Generator
in thread MD5-based Unique Session ID Generator

As we don't want to exercise Cargo Cult let's see what's done in this snippet:
use strict;
use Digest::MD5 qw/md5_hex/;

for (1..10) {
    my $rand_id    = time() . {} . rand() . $$;
    my $session_00 =                md5_hex($rand_id);
    my $session_01 = substr        (md5_hex($rand_id) , 0, 32);
    my $session_02 = substr(md5_hex(md5_hex($rand_id)), 0, 32);
    printf "%s\n%s %s %s\n\n", $rand_id, $session_00, $session_01, $se
+ssion_02;
}

[download]
"$rand_id" is composed of a couple of items to generate uniqueness:
"time()", "rand()" and "$$" are good for that while "{}", ref to an anonymous hash, doesnt help much, because it's always the same. It is possible to create more than 1 session id within 1 second but it's very unlikely to get more than 1 duplicate random within 1 second. So uniqueness is achieved.
It's a good idea to hash the "readable" id to put it in a regular, non human readable string format. This hashing does not improve the "uniqueness" of the id. It makes it more difficult to be guessed or hacked but that's it!
To hash it a second time doesn't do anything, nor good nor bad(besides performance).

pelagic

Replies are listed 'Best First'.
Re^5: MD5-based Unique Session ID Generator
by stvn (Monsignor) on Aug 19, 2004 at 22:11 UTC
    As we don't want to exercise Cargo Cult....

    Guilty as charged, and I thank you for pointing these details out.

    "time()", "rand()" and "$$" are good for that while "{}", ref to an anonymous hash, doesnt help much, because it's always the same.

    Actually, what you are seeing with the repeating "{}" value will not always be true. It seems (from my experimentation (look ma, no Cargo Cult)), is that it seems the repeating value you were seeing was something to the effect of perl's first memory location. So on each loop through the script you were seeing the location reaped and reused, and even when I forked each time within the loop, it did the same thing too. However, if you can be sure that this is not the first (?) ref created, you get a bit more randomness to that value. See the code below (spaces added for readability. 

    my @rand;

for (1..10) {
     # add a random number of elements to the array
     push @rand => $_ for (0 .. ((rand() * 10) % 10));
     my $rand_id    = time() . " " . { time => time() } . " " . rand()
+ . " " . $$;
     printf "%s\n", $rand_id;
}

__OUTPUT__
1092953284 HASH(0x1806be4) 0.351068406456278 15758
1092953284 HASH(0x180820c) 0.581041221829715 15758
1092953284 HASH(0x1808230) 0.936157439122312 15758
1092953284 HASH(0x1808284) 0.183180004399297 15758
1092953284 HASH(0x18082c0) 0.943342015904591 15758
1092953284 HASH(0x1808338) 0.424439000654708 15758
1092953284 HASH(0x1808350) 0.935454533284215 15758
1092953284 HASH(0x180838c) 0.771976549032949 15758
1092953284 HASH(0x1808398) 0.549340888274884 15758
1092953284 HASH(0x18083e0) 0.984217993290265 15758

    [download]
    Now of course, as the OP has pointed out to us, not all session generation is alike. This may not work for you if your script starts a fresh perl interpreter each time and the hash-ref always gets the same value. However, if you are in a long running process, this would seem to contribute to the initial entropy.

    -stvn
[reply]
[d/l]

In Section Cool Uses for Perl

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://384451]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (3)
As of 2024-04-26 00:11 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found