It is not important for session keys to be hard to guess. If you include a MAC (using SHA1 probably) in your cookie, knowing a valid session key will not be enough information to forge a valid session. Instead, you should focus on making one that will definitely not repeate, because a repeat will be a potential disaster for your application. I recommend using mod_unique_id (an apache module) or a sequence from a database, because these are both good enough for use in a cluster of machine.
Nearly all of the "hard to guess" key generation tools have problems with duplicates, as you have seen. You also have to be careful when making something our of concatenating things like process ID which can vary in length, since you can get accidental repeats if you are not forcing them to a specific size or using a separator character between them. Really, it's much easier to use mod_unique_id or a database.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|