Re^4: Is this a secure way to prevent cookie tampering

You are of course correct that a truely random number would be secure. In fact my approach of ID + secret just moves the randomness to a different part.

I prefer the id + secret route because it is easier to deal with in the database. The id can be a integer which the indexes like and the secret is just a char(30) or whatever. Having the id as an integer allows for easy referencing from other tables. There is also the cosmetic appeal of seeing how many sessions you have gone through...

--tidiness is the memory loss of environmental mnemonics

Comment on Re^4: Is this a secure way to prevent cookie tampering Download Code

Replies are listed 'Best First'.
•Re^5: Is this a secure way to prevent cookie tampering by merlyn (Sage) on Jun 29, 2004 at 16:35 UTC
Having the id as an integer allows for easy referencing from other tables. There is also the cosmetic appeal of seeing how many sessions you have gone through... Then just send your strong secret over the wire, and use a database table to map your strong secret to a simple session ID. That'll help you reject bad secrets faster too, or even make it possible to change the secret every minute without messing up the sessions. -- Randal L. Schwartz, Perl hacker Be sure to read my standard disclaimer if this is a reply.	[reply]
Re^5: Is this a secure way to prevent cookie tampering by iburrell (Chaplain) on Jun 29, 2004 at 16:37 UTC
You don't need to put the id in the cookie. It is acceptable to use the sequential integer id as the primary key in the database. Having a longer key is a good idea since it makes it harder to guess. You can send just the key in the cookie, and look that up to find the session.	[reply]
Re^6: Is this a secure way to prevent cookie tampering by exussum0 (Vicar) on Jul 01, 2004 at 02:32 UTC
I hope you mean sequential as in a sequence with hard to predict next values. It's better off to take noise from /dev/urandom or something like taht. Pregenerate the primary keys or something. But don't use a predictible sequence. Otherwise, guessing what someone else's session key is easy. Even if you are encrypting, if the encryption is broken, a random next number is harder to guess. Bart: God, Schmod. I want my monkey-man.	[reply]