> Don't rely on the user, apart from their IP address as part of a seed
> along with other random bits (/dev/[u]random).

i'm not familiar with /dev/random. Do you just cat it or what?
as for the rest, i'm assuming you mean this sort of thing:

$secret="128_bits_of_noise_here";
$random=a_random_element;

$sessid=MD5(microtime().$REMOTE_ADDR.$secret.$random);

or are you talking about something more complex? And what about things like
XORing? Perhaps one could take the microtime, XOR each byte by the random
element, and then append that to the secret? is this the sort of process
you're talking about?

Harry

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]