in reply to Re^5: Identifying clients
in thread Identifying clients

My choice of code for this is:

$session = substr(crypt(rand(),'XX'),2);

Which creates a tidy 13 character (printable) string with no fuss or muss. The session is used to create a MySQL table entry (where the session field is a unique primary key). There's a loop to keep generating session ids if the row insert fails due to a duplicate key. I could throw a time element into it, but I don't think this would buy any improvement.

I suppose there are also ways to defeat the not so random nature of 'rand()', but I'll leave that to the DOD ;).

Assuming a 13 char string is sufficient variation to (reasonably) prevent a session attack.

Replies are listed 'Best First'.
Re^7: Identifying clients
by Firefly258 (Beadle) on Dec 08, 2006 at 22:07 UTC
    Consider this :- 
    my $session1 = crypt rand, 'XX';
my $session2 = crypt rand, 'AA';

    [download]
    Are you always guaranteed to have different values for $session1 and $session2?? No, there is an incalculable chance that they might be same.

    I would consider a function of some non-random values instead, something along the lines of this. 
    my $session - crypt time, "XX";

    [download]
    But two clients could still end up with the same session ID, so here's a to try and guarantee that no two session IDs are ever the same, even in the oddest case where the same user has logged in at multiple instances. 
    my $rawID = time . ( toNum( $userID ) % toNum( $password ) +
            toNum( $ENV{REMOTE_ADDR} ) % $ENV{REMOTE_PORT} );

my $sessionID = crypt $rawID, "PY";

    [download]
    It's still imperfect, but you can always amend it to your needs. Also, I'm not sure how seriously crypt() can be taken as a trustworthy hashing function.


    perl -e '$,=$",$_=(split/\W/,$^X)[y[eval]]]+--$_],print+just,another,split,hack'er
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom