Re: Secure Session ID values

You can use anything that is guaranteed to be unique (I like mod_unique_id) as long as you secure it with some kind of MAC, as described here.

Comment on Re: Secure Session ID values

Replies are listed 'Best First'.
Re: Re: Secure Session ID values by Hero Zzyzzx (Curate) on Nov 20, 2001 at 20:42 UTC
Well, generating a string of 36 random alphanumeric characters SOUNDS pretty unique to me. (36^20=1.3e+31 possible combinations) I know how to use MD5 and other hashing algorithms, and I've heard it's a good thing to do so for session ids, but my question is why? Is generating the IDs as I describe above not good enough? -Any sufficiently advanced technology is indistinguishable from doubletalk.	[reply]

Replies are listed 'Best First'.

Re: Re: Secure Session ID values
by Hero Zzyzzx (Curate) on Nov 20, 2001 at 20:42 UTC

Well, generating a string of 36 random alphanumeric characters SOUNDS pretty unique to me. (36^20=1.3e+31 possible combinations)

I know how to use MD5 and other hashing algorithms, and I've heard it's a good thing to do so for session ids, but my question is why? Is generating the IDs as I describe above not good enough?

-Any sufficiently advanced technology is
indistinguishable from doubletalk.

[reply]