Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search

[REBOL] Re: RWT: Cookies

From: petr:krenzelok:trz:cz at: 5-Mar-2003 11:30

Laurent Chevalier wrote:
> Hi Petr, > > I'm using this function to generate unique and secure session ID in my > rsp.cgi : > > build-id: has [ id ][ > random/seed join now/precise either config/log-path [ > checksum read config/log-path ][ checksum to-string now/precise ] > until [ > id: make string! (config/session-key-length + 5) > loop config/session-key-length [ append id first random > "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ] > not exists? to-file rejoin [config/session-dir id ext] > ] > id > ] > > Note the definition of a unique seed with random/seed to avoid > repetition of ID. > > I'm getting entropy that to checksum read configl/log-path that > depends on the users of the service and so can be guess by any hacker.
Are you sure hacker has any chance to guess the sequence? I find your code a bit complicated for understanding do you think: generate-id: func [/local t][ t: mold checksum/secure mold now/time/precise random/secure copy/part at t 3 ((length? t) - 3) ] IIRC in some earlier discussion someone stated that checksum/secure is securely enough ... the only problem I got is - I was able to receive the same now/time/precise values ... maybe of low Windows timer granularity ... so I added random/secure and I can't believe a) someone can guess the mechanism b) I can obtain two identical identifiers which I want to use for login to system ... cheers, -pekr-