Re: unique cookie id?

IIRC, the PID under mod_perl will be the PID of whatever Apache thread you're running under. So the $ToBase62->($$) part will often be the same.

This code makes me nervous, because it gives away the PID of the process. This is a small bit of information to give to an attacker, but I like to know that an attacker has as little information about my system as possible. Further, PIDs are not as random as they appear (unless you know your system does otherwise, such as OpenBSD or a patched version of Linux).

For generating session IDs, I usually use Data::UUID. It's not guarenteed to be truely random (though if you want that it shouldn't be too difficult to patch or subclass), but it is guarenteed unique for a reasonable ammount of time.

----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer

: () { :|:& };:

Note: All code is untested, unless otherwise stated

Comment on Re: unique cookie id? Select or Download Code

Replies are listed 'Best First'.
Re: Re: unique cookie id? by exussum0 (Vicar) on Dec 23, 2003 at 16:44 UTC
Add to the fact that if you have an SMP machine, it is easily possible for two requests to be processed at the same time on a busy site. Easily possible for the time() to be the same value that is. Be afraid.. be very afraid ;) Update: Added the middle sentence. Play that funky music white boy..	[reply]


Your skill will accomplish what the force of many cannot
	PerlMonks