Re: CGI::Session::ID::md5->generate_id & data coll: msg#00039

On Wed, 2006-03-08 at 17:13 +0300, Strong wrote:
> > > I can't understand why You do not simply use a huge random ids?
> > Because "random" ne "unique", and if you get one that isn't unique,
> > you will have problems.  Random also doesn't mean someone can't get
> > lucky and hit one if they write a script to try IDs all day.
> Thanks for explanation! I got it. But we can check it for existance at
> least blocking that say map-file for writing for a moment...

Yes, you could do that, assuming you are already using some kind of
shared storage with efficient locking.  That won't prevent an attacker
from guessing a valid session ID though.  It can be very unlikely, but
it will still be possible.

- Perrin


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/cgiapp@xxxxxxxxxxxxxxxxx/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: cgiapp-unsubscribe@xxxxxxxxxxxxxxxxx
For additional commands, e-mail: cgiapp-help@xxxxxxxxxxxxxxxxx

<Prev in Thread]	Current Thread	[Next in Thread>

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: Re: Run modes and Ajax.pm, Jonathan Mangin
Next by Date:	Re: CGI::Session::ID::md5->generate_id & data collision, Perrin Harkins
Previous by Thread:	Re: CGI::Session::ID::md5->generate_id & data collision, Strong
Next by Thread:	Re: CGI::Session::ID::md5->generate_id & data collision, Strong
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: Re: Run modes and Ajax.pm, Jonathan Mangin

Next by Date:

Re: CGI::Session::ID::md5->generate_id & data collision, Perrin Harkins

Previous by Thread:

Re: CGI::Session::ID::md5->generate_id & data collision, Strong

Next by Thread:

Re: CGI::Session::ID::md5->generate_id & data collision, Strong

Indexes:

[Date] [Thread] [Top] [All Lists]

Re: CGI::Session::ID::md5->generate_id & data collision: msg#00039