I have a question about the best way to handle httpd sessions. I know the basic framework (basically what Apache::Session does.) However, I'm wondering what's the best solution for generating the sessions ids? I see two main contenders:

MD5 hash: I believe these are guaranteed to be unique if they are based on a unique sequence. However, since they depend on a 'secret phrase' for security, if the secret phrase was discovered, then all the sessions might be able to be comprimised, right?

random strings: Since these are random, it seems like eventually the same string could be generated twice, but with large strings and lots of characters, this should be very, very rare. However, since there is no "secret" behind them, they should otherwise be harder to comprimise.

In either case, it makes sense to also include the IP address of the user as part of the security check, adding security to either system.

I assume that MD5 is "better" for some reason since that is what's in the widely-used Apache::Session module. Is so, what specific advantages does it have over the random string method, and what trade-offs are there, if any? Thanks,

-mark

In reply to sessions: MD5 versus random strings by markjugg

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.