Random, Unique, but Simple session ID

akm2 has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: Random, Unique, but Simple session ID by Dominus (Parson) on Apr 13, 2001 at 21:31 UTC
Combine the time of day, the process ID number, and the IP address of the host. If you really need the IDs to be random, then generate a random number, and the three items above, and use them as input to the MD5 checksum algorithm.	[reply]
Re: Re: Random, Unique, but Simple session ID by sachmet (Scribe) on Apr 13, 2001 at 21:33 UTC
Technically, that could work. As long as you're not going to have 32K sessions per second, that seems fairly unique. Problem is, I believe the poster wanted random. There's many ways you could run into race conditions in this case. I say it depends on the application as to the source of randomness and uniqueness. For example, if using a database that supports sequences, you could MD5-encrypt a sequence number with a random password, and that'd be both unique and random, as well as fairly simple. Without more information, it's difficult, though. Update: Double posted; this should be under this node instead. Update2: Second post had MD5 note added whereas first didn't.	[reply]
(dkubb) Re: (2) Random, Unique, but Simple session ID by dkubb (Deacon) on Apr 13, 2001 at 21:50 UTC
You should look at Apache::Session. You can use it's internal session generation system, without using the entire module: `use Apache::Session::Generate::MD5; #... my $session_id = Apache::Session::Generate::MD5::generate();` [download] You may want to explore this module more. I think it will not only allow you to easily create pseudo-random session id's, but also provide a simple interface to store and retrieve session information. I've used Apache::Session many times and I highly recommend it.	[reply] [d/l]
Re: Random, Unique, but Simple session ID by Masem (Monsignor) on Apr 13, 2001 at 21:33 UTC
Use some combination of the current date/time, a random number, and possibly a checksum to improve validity. Eg: `my $uniqueId = time()10000 + int rand (10000); $uniqueId = $uniqueId100 + ( ( ( $uniqueId div 10000000) % 10 ) * ( ( $uniqueId div 100 ) % 10 ) );` [download] The latter uses the 8th and 3rd digit from the right as checksums in this case. Dr. Michael K. Neylon - mneylon-pm@masemware.com \|\| "You've left the lens cap of your mind on again, Pinky" - The Brain	[reply] [d/l]
Re: Re: Random, Unique, but Simple session ID by Fastolfe (Vicar) on Apr 13, 2001 at 23:24 UTC
Not to nit-pick, but a 'random number' is not guaranteed to be different the next time it's requested. There is a possibility two people will hit it within a second of each other (thus getting the same time) and get the same random number, thus giving them the same unique ID. Granted, the probability is low, but if you get a lot of ID requests, this will be a very real concern. I usually combine the process ID of the process making the request in with that, since it's highly unlikely you will iterate through the system's available process pool within 1 second of time, and combined with a random number like you're doing, makes it for all practical purposes completely unique.	[reply]
Re: Random, Unique, but Simple session ID by mothra (Hermit) on Apr 13, 2001 at 22:31 UTC
The unique_id() function I use (pieced together from the Camel, Randal's suggestions, and elsewhere) is: `sub unique_id() { # Use Apache's mod_unique_id if available return $ENV{UNIQUE_ID} if exists $ENV{UNIQUE_ID}; require MD5; # Note This is intended to be unique, not unguessable. my $id = MD5->hexhash(MD5->hexhash(time.{}.rand().$$)); $id =~ tr\|+/=\|-_.\|; # make non-word characters URL friendly return $id; }` [download] By using hexhash instead of base 64 you're also more likely to come up with ID that are safe to use (read, "no funny characters that might do something bad")	[reply] [d/l]
Re: Re: Random, Unique, but Simple session ID by merlyn (Sage) on Apr 14, 2001 at 04:32 UTC
`# Note This is intended to be unique, not unguessable. my $id = MD5->hexhash(MD5->hexhash(time.{}.rand().$$)); $id =~ tr\|+/=\|-_.\|; # make non-word characters URL friendly` [download] Uh, that tr never fires there. hexhash always generates hex chars. Perhaps you're confusing this with the base64 versions that I was trying to steer the other petitioner around. -- Randal L. Schwartz, Perl hacker	[reply] [d/l]
Re: Random, Unique, but Simple session ID by THRAK (Monk) on Apr 13, 2001 at 21:49 UTC
akm2, you might want to look at this node. I found lhoward's reply to work quite well for a recent project. -THRAK www.polarlava.com	[reply]
Re: Random, Unique, but Simple session ID by Russ (Deacon) on Apr 13, 2001 at 23:02 UTC
Here is one of my favorite posts on these issues. :-) RE: Random number (CGI Security) Russ Brainbench 'Most Valuable Professional' for Perl	[reply]
Re: Random, Unique, but Simple session ID by Madams (Pilgrim) on Apr 14, 2001 at 08:20 UTC
How about this --many M$ programs make use of GUIDs (globally unique identifiers) they show up looking like this:{00000535-0000-0010-8000-00AA006D2EA4}. Visual studio and borland builder/delphi contain a program that produces them for the programmer...does any one know the algo that is used...the program is (per M$) guaranteed to produce unique values. Perhaps this sort of item is what akm2s looking for? _________________ madams@scc.net `(__) (\/) /-------\/ / \| 666 \|\| * \|\|----\|\|` [download]	[reply] [d/l]


No such thing as a small change
	PerlMonks