|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Derek (derekm
rogers.com)Date: Tue Mar 05 2002 - 07:36:38 CST
Hello,
A unique identifier (probably primary key on session table)
plus a _cryptographically_ random number would make a secure
session ID. Example: 46467-0E56F83DF6AC94BCD3A76BFF7244CBA8.
The unique identifier can be easily guessed, but the random
number adds enough entorpy to make it practically unguessable (1
in 2^128 in the above example). So we now have a session id that
is not only unique but 'unguessable.'
Regards,
Derek
----- Original Message -----
From: "Innes Fisher" <innes.fisherccdhb.org.nz>
To: <webappsecsecurityfocus.com>
Sent: Monday, March 04, 2002 4:38 PM
Subject: Secure Token Generation
>
>
> This is a follow on from a recent email from me about
> the use of GUID/UUIDs as secure session tokens.
> Firstly, thanks for the previous responses.
>
> Having advised our apps developers that GUIDs were
> not a good secure session token, the first question I
> got in response was, "What is?".
>
> Is there a recommended method for generating
> security tokens?
>
> The tokens could be used in app/server exchanges
> or in human-app interaction.
>
> Thanks, Innes
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]