Mailing list home
  Find posts   Help

Latest messageRecent messages

In this thread:
 First
 Prev
 Next
 See whole thread
By msg id:
 Prev: 5 Mar 2003 12:36
 Next: 5 Mar 2003 13:34

Other threads:
 Prev: server side cookie handling example ...
 Next: RWT: Rebol Server Pages the Manual

Same author:
 Prev: 5 Mar 2003 8:24
 Next: 11 Mar 2003 23:13

 Random message

Indexes:
 By topic
 By date
 By author
 By subject
Join the Mailing List....
AccessibilityAbout / FAQ
Member's loungeContact/FeedbackOther REBOL links
Membership:
member name

password

Remember?

Not a member? Please join
26-Jul 23:44 UTC
[0.053] 11.37k
Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

[REBOL] Re: RWT: Cookies

From: rebol:laurent-chevalier at: 5-Mar-2003 13:00


Hi Petr,

I wrote a bit quickly this morning and I've swallowed some words. I
wanted to say that the entropy provided by the config/log-path file
ensures that a hacker can not guess the initial seed of the random
generator.

If you use time and if time is not precise enough, then you may be
vulnerable to brute force attacks, but I agree with you the risks are
rather low.

Moreover, you need to initialize the random generator each time with a
different random/seed to avoid always using the same random sequence.

IMHO, if you want to keep things simple, I think this would be a bit
more secure :

random/seed to-string now/precise
id: copy ""
loop 30 [ append id first random "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ]
id

Regards,
Laurent

Petr Krenzelok wrote:

> Laurent Chevalier wrote:
>
>> Hi Petr,
>>
>> I'm using this function to generate unique and secure session ID in my
>> rsp.cgi :
>>
>> build-id: has [ id ][
>>   random/seed join now/precise either config/log-path [
>> checksum read config/log-path ][ checksum to-string now/precise ]
>>   until [
>>     id: make string! (config/session-key-length + 5)
>>     loop config/session-key-length [ append id first random
>> "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" ]
>>     not exists? to-file rejoin [config/session-dir id ext]
>>   ]
>>   id
>> ]
>>
>> Note the definition of a unique seed with random/seed to avoid
>> repetition of ID.
>>
>> I'm getting entropy that to checksum read configl/log-path that
>> depends on the users of the service and so can be guess by any hacker.
>
> Are you sure hacker has any chance to guess the sequence? I find your
> code a bit complicated for understanding do you think:
>
> generate-id: func [/local t][
>     t:  mold checksum/secure mold now/time/precise
>     random/secure copy/part at t 3 ((length? t) - 3)
>
> ]
>
> IIRC in some earlier discussion someone stated that checksum/secure is
> securely enough ... the only problem I got is - I was able to receive
> the same now/time/precise values ... maybe of low Windows timer
> granularity ... so I added random/secure and I can't believe a) someone
> can guess the mechanism b) I can obtain two identical identifiers which
> I want to use for login to system ...
>
> cheers,
> -pekr-
>
>>
>>
>> See the code and documentation at http://www.shlik.org/rsp
>>
>> Regards,
>> Laurent
>


--
Laurent
http://www.shlik.org

1 · 2 · 3 · 4 · 5 · 6 · 7 · [8] · 9 · 10 ... 13 · 14 · 15 · 16 · 17 · See whole thread