Re: Re: Secure Session ID values

Certainly for unix-only apps this is a good choice for a session ID expect in really extenuating circumstances, but like others have suggested, you should combine it with a checksum. The uniqueness of time().$$ is good, but as with any user-supplied data (in this case, the users browser supplies it back to the server) you need to add something so that a malicious remote user can't fake the session of another user. A vaguely common (though not bulletproof) method would be to combine the two values with a 3rd secret value, in some mathematical way (eg ($$ * $secret) + $time) then take the modulus of that and another secret.

Something like $checksum = (($$ * $secret) + $time) % $someprime

When you need to access a users session, take their $$ and $time from the cookie, do the same maths on them, and verify that the calculated checksum is the same as the one in the users cookie.

the hatter

Comment on Re: Re: Secure Session ID values

Replies are listed 'Best First'.
Re: Re: Re: Secure Session ID values by uwevoelker (Pilgrim) on Nov 20, 2001 at 22:55 UTC
I also do this: I have a mysql-table with id (autoincrement), random, time, user and so on. When an user gets a new session I create a random number and the user gets the random number together with the id back. So if he alters the id or random, the session entry can not found in the database. The field time is for timeout and user stores the user id (or whatever you want). To delete outdated session I do: "DELETE FROM session WHERE time < $time" and $time is time()-$expire (expiration time in seconds).	[reply]

Replies are listed 'Best First'.

Re: Re: Re: Secure Session ID values
by uwevoelker (Pilgrim) on Nov 20, 2001 at 22:55 UTC

[reply]