Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Security Coordinator (securityaptusventures.com)
Date: Tue Mar 05 2002 - 09:53:20 CST
On Monday 04 March 2002 16:38, Innes Fisher wrote:
> This is a follow on from a recent email from me about
> the use of GUID/UUIDs as secure session tokens.
> Firstly, thanks for the previous responses.
> Having advised our apps developers that GUIDs were
> not a good secure session token, the first question I
> got in response was, "What is?".
> Is there a recommended method for generating
> security tokens?
> The tokens could be used in app/server exchanges
> or in human-app interaction.
> Thanks, Innes
A good random number generator... ;o). Check what the Apache::Session
mod_perl module does. It uses the MD5 hash of a set of random numbers.
Naturally only as good as your entropy source, but they sure APPEAR very
random at least. One way or another its going to boil down to random numbers.