Re: [phplib] Session ID randomness/security ? From: Kristian Koehntopp (kris <email protected>)
Date: 08/04/01

In netuse.lists.phplib you write:
>The problem with this id generation (AFAIK) is that an attacker can
>approximate the timeofday and if the $this->magic is known
>(for example some opensource project or silly admins who don't change
>default values) the the attacker has limited range of values to try:
>For given second there're 1000000 usec values (this probably comes down
>because some computers don't have usec resolution timers??).

Yes.

This is exactly why you chose a different magic for each
installation, and why you change your magic value in each
subclass of Session.

>Why not use the same entropy source as php4 own session tracking ? In
>(pseudocode):

Because this part of PHPLIB is so old that it precedes PHP 4 by
far, in fact it precedes even the first non-beta release of PHP
3. At that time there also was no proper and truly random number
generation facility in most operating systems (only pseudo
random number generators).

>Any thoughts / feedback welcome. (If this has been discussed before
>could you point me to right direction).

The session id can be a completely random number or the hash of
a random number, if you have a method to generate 128 truly
random bits.

In any case you should be save if you add a new magic value for
each Session subclass.

Kristian 

-- 
	http://www.amazon.de/exec/obidos/wishlist/18E5SVQ5HJZXG
		"bow down before the one you serve.
		 you're going to get what you deserve."
			-- Trent Reznor (Sysadmin?)

-- 
Abbestellen mit Mail an:   phplib-unsubscribe <email protected>
Kommandoliste mit Mail an: phplib-help <email protected>