Re: Using crypt for 'reasonably' secure session management w/DB

the script then generates a 20-character session ID, encrypts it using Perl's built-in crypt() function

Already noticed that if two session ID's are different by only the last few characters, I get the exact same encrypted value

Note that crypt will only handle passwords up to 8 characters long. I guess you could follow other Monks advice and use use something like Digest::SHA1. This code

use strict;
use warnings;

my $salt   = q{zy};
my $passwd = q{};

for ( q{a} .. q{m} )
{
    $passwd .= $_;
    my $encrypted = crypt $passwd, $salt;
    printf qq{%-3s%-15s%13s\n},
       $salt,
       $passwd,
       $encrypted;
}
[download]

produces

zy a              zysdihJ0gvwVY
zy ab             zy4zYYneKaYuc
zy abc            zyVTopNmDAhDM
zy abcd           zyaO8uXTZHk.Q
zy abcde          zyIALca4k5yc2
zy abcdef         zyTUr1c/J9ROc
zy abcdefg        zyB0MLdTVOSYY
zy abcdefgh       zyQskE0hBAgLs
zy abcdefghi      zyQskE0hBAgLs
zy abcdefghij     zyQskE0hBAgLs
zy abcdefghijk    zyQskE0hBAgLs
zy abcdefghijkl   zyQskE0hBAgLs
zy abcdefghijklm  zyQskE0hBAgLs
[download]

which demonstrates that crypt just discards anything beyond the 8th character.

I hope this is of interest.

Cheers,

JohnGG

Comment on Re: Using crypt for 'reasonably' secure session management w/DB Select or Download Code