[REBOL] Re: RWT: Cookies
From: petr:krenzelok:trz:cz at: 5-Mar-2003 11:30
Laurent Chevalier wrote:
> Hi Petr,
>
> I'm using this function to generate unique and secure session ID in my
> rsp.cgi :
>
> build-id: has [ id ][
> random/seed join now/precise either config/log-path [
> checksum read config/log-path ][ checksum to-string now/precise ]
> until [
> id: make string! (config/session-key-length + 5)
> loop config/session-key-length [ append id first random
> "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ]
> not exists? to-file rejoin [config/session-dir id ext]
> ]
> id
> ]
>
> Note the definition of a unique seed with random/seed to avoid
> repetition of ID.
>
> I'm getting entropy that to checksum read configl/log-path that
> depends on the users of the service and so can be guess by any hacker.
Are you sure hacker has any chance to guess the sequence? I find your
code a bit complicated for understanding do you think:
generate-id: func [/local t][
t: mold checksum/secure mold now/time/precise
random/secure copy/part at t 3 ((length? t) - 3)
]
IIRC in some earlier discussion someone stated that checksum/secure is
securely enough ... the only problem I got is - I was able to receive
the same now/time/precise values ... maybe of low Windows timer
granularity ... so I added random/secure and I can't believe a) someone
can guess the mechanism b) I can obtain two identical identifiers which
I want to use for login to system ...
cheers,
-pekr-
