|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Kevin Fu (fubob
MIT.EDU)Date: Thu Jul 05 2001 - 10:24:44 CDT
Speaking of sessionID generation...
My research group recently published a document on good design
practices and reverse engineering of Web client authentication schemes
(e.g., authenticators in URLs and cookies). If you have stories about
problems in Web client authentication, we'd love to document them.
The technical report is on:
A shorter version of the document will be presented at the USENIX
Security Symposium in August.
The document includes a story about session IDs and linear
congruential number generators...
-Kevin
>I just had a quick peek so the following 'information' is based on first
>impressions and is probably full of errors. I hope this could stir up
>some discussion about session id generation / using timeofday as random
>seed/value etc. (or could somebody point me to some references).
--------
Kevin E. Fu (fubobmit.edu)
PGP key: https://snafu.fooworld.org/~fubob/pgp.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]