Re: Untainting cookies

A somewhat unrelated problem, but as discussed in this node, using the IP address of the remote user is NOT a good way to guarentee unique session information, particularly if your user is behind a firewall or proxy. While highly unlikely that it might happen that two users from the same proxy may hit your site at the say time (and thus generating the same md5 key), it could still happen. I would at least add another level of randomness to the key before md5'ing it (eg add ".(int rand 10000)") to $remote.

update fixed node link

Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain

Comment on Re: Untainting cookies

Replies are listed 'Best First'.
Re: Re: Untainting cookies by jwest (Friar) on Apr 12, 2001 at 00:40 UTC
I would say that it's even more likely than you might initially suspect. Some large organisations, such as AOL, have been known to send all of their traffic through just a handful of gateways. I've run into this problem a few times. Typically, as Masem suggests, I add in some sort of random value, and as precise a time value as I care to conjure up, just to even out the randomness a bit. Also, if the script runs on several machines behind a load balancer, I'll use an unique identifier of the machine (host id on Sun, for example) to limit my collision space further. Be creative, but be wary of this problem. In addition, the less formulaic the data is that you encrypt, the less likely someone will be able to hijack the session by computing what another user's session identifier is.	[reply]

Replies are listed 'Best First'.

Re: Re: Untainting cookies
by jwest (Friar) on Apr 12, 2001 at 00:40 UTC

more

[reply]