Session ID Generator (Rolled My Own)

jerrygarciuh has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: Session ID Generator (Rolled My Own) by Zaxo (Archbishop) on Sep 14, 2002 at 23:38 UTC
Just a few points. It's no longer necessary to seed the RNG with srand, that has been automatic for the last few versions of Perl. The @Chars array can be initialized with the list range operator: `my @Chars = '0'..'9', 'A'..'Z', 'a'..'z';` [download] I'd rename $l so it doesn't look like the first captured match builtin, $1. It could also be generated by `$l = join '', map {$Chars[rand @Chars]} 1..7*($ARGV[0] \|\|= 1);` [download] After Compline, Zaxo	[reply] [d/l] [select]
Re: Re: Session ID Generator (Rolled My Own) by sauoq (Abbot) on Sep 15, 2002 at 04:21 UTC
`my @Chars = '0'..'9', 'A'..'Z', 'a'..'z';` That won't work as you might expect. You'll actually need: `my @Chars = ('0'..'9', 'A'..'Z', 'a'..'z');` [download] Those parens aren't optional. Here's a demonstration: `$ perl -le 'my @one="0".."9","a".."z"; my @two=("0".."9","a".."z"); pr +int @one; print @two' 0123456789 0123456789abcdefghijklmnopqrstuvwxyz` [download] -sauoq "My two cents aren't worth a dime.";	[reply] [d/l] [select]
Re: Re: Re: Session ID Generator (Rolled My Own) by Zaxo (Archbishop) on Sep 15, 2002 at 05:30 UTC
Right you are. I'm trying to understand that in terms of operator precedence. I think my erroneous one parses as: `( my @Chars = '0' .. '9'), 'A' .. 'Z', 'a' .. 'z';` sauoq++ for the catch. After Compline, Zaxo	[reply] [d/l]
Re: Re: Re: Session ID Generator (Rolled My Own) by jerrygarciuh (Curate) on Sep 15, 2002 at 18:10 UTC
Thanks for pointing that out sauoq! I would certainly never figured out the problem from the symptom! jg _____________________________________________________ "The man who grasps principles can successfully select his own methods. The man who tries methods, ignoring principles, is sure to have trouble. ~ Ralph Waldo Emerson	[reply] [d/l]
Re^2: Session ID Generator (Rolled My Own) by Flexx (Pilgrim) on Sep 15, 2002 at 01:36 UTC
Hi Zaxo! A small glitch in this. The equivalent `@Chars` range would be: `v my @Chars = ('a'..'z', 'A'..'Z', '2'..'9'); ^` [download] Also, I think the `$1` (one) you read, is actually a `$l` (ell)... ;) So long, Flexx Update: Added parens, ++sauoq	[reply] [d/l] [select]
Re: Session ID Generator (Rolled My Own) by Beatnik (Parson) on Sep 14, 2002 at 23:32 UTC
If you're using this on Apache, you might wanna consider compiling mod_unique_id. It stores a unique value in `$ENV{UNIQUE_ID}` for each request. Greetz Beatnik ...Perl is like sex: if you're doing it wrong, there's no fun to it.	[reply] [d/l]
Re: Session ID Generator (Rolled My Own) by perrin (Chancellor) on Sep 15, 2002 at 01:45 UTC
Is it sufficiently random? Maybe, I don't know much about that. (I would just use one of the random number modules from CPAN.) However, it's not guranteed to be unique. It is unlikely but possible for this to generate the same ID for multiple live sessions, causing mayhem for those users. I think it's much safer to use mod_unique_id and then use a digest-based authentication to make sure that the cookie is valid and comes from you. This method is described here.	[reply]
Re: Session ID Generator (Rolled My Own) by Aristotle (Chancellor) on Sep 15, 2002 at 08:06 UTC
I get to beat merlyn to it: check out his column on that. grin Makeshifts last the longest.	[reply]
Re: Session ID Generator (Rolled My Own) by bart (Canon) on Sep 15, 2002 at 10:55 UTC
Somehow, I don't see how your "unique ID" is garanteed to be unique. You're just using a sequence of randomly picked word characters, aren't you? If part of your session ID was the time() when the session started, perhaps encrypted and/or shuffled in a predetermined order, there's only so many sessions that could get started in that second. So if you now make sure the remainder of what your session ID string consists of, is unique for that starting second, then the session ID will be unique, period. And if that remainder is quite random and long enough to be very hard to guess, then hijacking a session seems very unlikely to me — but not impossible. I would think that recognizing attempts to break into a session, with repeated tries with various candidate session ID's, and taking appropriate action (whatever that may mean), would be the logical next step.	[reply]
Re: Session ID Generator (Rolled My Own) by no_slogan (Deacon) on Sep 15, 2002 at 07:26 UTC
The built-in rand() function is not a secure source of random numbers. A suitably skilled attacker will be able to predict your sequence numbers. perrin has a good suggestion.	[reply]
Re: Session ID Generator (Rolled My Own) by Ryszard (Priest) on Sep 15, 2002 at 08:19 UTC
a one liner? `my $sess_id = md5_hex('s3cr37 s7r1n6'.$$.localtime().rand());` Of course you'll need md5.	[reply] [d/l]


more useful options
	PerlMonks