Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search

[REBOL] Re: RWT: Cookies

From: rebol:laurent-chevalier at: 5-Mar-2003 13:00

Hi Petr, I wrote a bit quickly this morning and I've swallowed some words. I wanted to say that the entropy provided by the config/log-path file ensures that a hacker can not guess the initial seed of the random generator. If you use time and if time is not precise enough, then you may be vulnerable to brute force attacks, but I agree with you the risks are rather low. Moreover, you need to initialize the random generator each time with a different random/seed to avoid always using the same random sequence. IMHO, if you want to keep things simple, I think this would be a bit more secure : random/seed to-string now/precise id: copy "" loop 30 [ append id first random "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ] id Regards, Laurent Petr Krenzelok wrote:
> Laurent Chevalier wrote: > >> Hi Petr, >> >> I'm using this function to generate unique and secure session ID in my >> rsp.cgi : >> >> build-id: has [ id ][ >> random/seed join now/precise either config/log-path [ >> checksum read config/log-path ][ checksum to-string now/precise ] >> until [ >> id: make string! (config/session-key-length + 5) >> loop config/session-key-length [ append id first random >> "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ] >> not exists? to-file rejoin [config/session-dir id ext] >> ] >> id >> ] >> >> Note the definition of a unique seed with random/seed to avoid >> repetition of ID. >> >> I'm getting entropy that to checksum read configl/log-path that >> depends on the users of the service and so can be guess by any hacker. > > Are you sure hacker has any chance to guess the sequence? I find your > code a bit complicated for understanding do you think: > > generate-id: func [/local t][ > t: mold checksum/secure mold now/time/precise > random/secure copy/part at t 3 ((length? t) - 3) > > ] > > IIRC in some earlier discussion someone stated that checksum/secure is > securely enough ... the only problem I got is - I was able to receive > the same now/time/precise values ... maybe of low Windows timer > granularity ... so I added random/secure and I can't believe a) someone > can guess the mechanism b) I can obtain two identical identifiers which > I want to use for login to system ... > > cheers, > -pekr- > >> >> >> See the code and documentation at >> >> Regards, >> Laurent >
-- Laurent