Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Derek (derekmrogers.com)
Date: Tue Mar 05 2002 - 07:36:38 CST
A unique identifier (probably primary key on session table)
plus a _cryptographically_ random number would make a secure
session ID. Example: 46467-0E56F83DF6AC94BCD3A76BFF7244CBA8.
The unique identifier can be easily guessed, but the random
number adds enough entorpy to make it practically unguessable (1
in 2^128 in the above example). So we now have a session id that
is not only unique but 'unguessable.'
----- Original Message -----
From: "Innes Fisher" <innes.fisherccdhb.org.nz>
Sent: Monday, March 04, 2002 4:38 PM
Subject: Secure Token Generation
> This is a follow on from a recent email from me about
> the use of GUID/UUIDs as secure session tokens.
> Firstly, thanks for the previous responses.
> Having advised our apps developers that GUIDs were
> not a good secure session token, the first question I
> got in response was, "What is?".
> Is there a recommended method for generating
> security tokens?
> The tokens could be used in app/server exchanges
> or in human-app interaction.
> Thanks, Innes