Re: Duplicate session IDs?

[Jon Scott Stevens]

on 2002/12/24 5:52 AM, "Tim Funk" <[EMAIL PROTECTED]> wrote:

> I hope you were joking about the monotonic increase of sessionIds. If
> that were done - it would be trivial to steal another's sessionId by
> guessing.

How is that?

laskdfowifjwo2i3jofij2oi3jofwjieogih934htwo4i1
io2oiwejofiwjoijr9238jr9iejofij2oi3jro23ij2i32
Aslkdjfalskdjflaksjdflkasjdflkjlsdkjflaskjdfl3
lakdjflkasjdflkjwoeirjowiejo2ij4o3ij4o2i4o3jo4
flaksjdflksajdflkjsdlfkjsdlkfalsdjflasdkflksd5
laksdfjlkasjdflaskjdflksjdfowiejreowiefjowiee6

The only problem with it is that the session id would grow in length as more
digits are added. I don't see how adding a number would make things more
easily to steal (as long as the first part is unique random garbage), but
maybe I'm missing something. It would be best to do something like this:

SHA1(laskdfowifjwo2i3jofij2oi3jofwjieogih934htwo4i1)
SHA1(io2oiwejofiwjoijr9238jr9iejofij2oi3jro23ij2i32)
SHA1(Aslkdjfalskdjflaksjdflkasjdflkjlsdkjflaskjdfl3)
SHA1(lakdjflkasjdflkjwoeirjowiejo2ij4o3ij4o2i4o3jo4)
SHA1(flaksjdflksajdflkjsdlfkjsdlkfalsdjflasdkflksd5)
...
SHA1(laksdfjlkasjdflaskjdflksjdfowiejreowiefjowiee600)

So that you always have a uniform length.

Just trying to learn...

-jon


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>