Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked

RE: Re: unique session id

by DrManhattan (Chaplain)
on Jun 08, 2000 at 22:39 UTC ( [id://17165]=note: print w/replies, xml ) Need Help??

in reply to Re: unique session id
in thread unique session id

That's a good point. Just generating a random session id isn't enough. You also have to make sure you aren't getting a session id from a client other than the one you issued it to.

There was a really interesting thread about securing session ids on the mod_perl mailing list a couple of months ago.

The trick is that you need to store some validation information such as the client's ip address or a session timeout along with the session key. That way you can verify (or at least be more certain) that the client presenting the session key to you is the correct one.

There are basically two schools of thought: You can either encrypt the extra information in the session key itself, or you can store in it a database indexed by the session key. Each method has its advatanges. The first requires some processing overhead to decrypt the data stored in the session key and possibly more bandwidth since the session keys may be longer. The second requires a database hit each time you verify the key. It's essentially a CPU vs. IO tradeoff.

Here's a link to the thread:

- Matt

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://17165]
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (5)
As of 2024-07-25 13:05 GMT
Find Nodes?
    Voting Booth?

    No recent polls found

    erzuuli‥ 🛈The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.