|
|
Posted by Jerry Stuckle on 06/24/07 03:00
howa wrote:
> it is not a problem of easy or difficult, but a chance ...
>
> consider you put money in bank and if other might take your session,
> even the probability is 0.00000001%, we still want to avoid it....
>
> or we need to find a better method to assign the session id, e.g. keep
> track of the session id in database
>
>
> On 6 23 , 7 03 , Erwin Moller
> <since_humans_read_this_I_am_spammed_too_m...@spamyourself.com> wrote:
>> howa wrote:
>>> For example, if two hosts arrive a server at the same time
>>> (microtime), and using the same IP via NAT, and may be even lucky
>>> enough to have the same random number
>>> How PHP make them to use different session ID?
>>> or in fact PHP session is not 100% safe enought?
>>> thanks.
>> Hi Howa,
>>
>> As fas as I know PHP doesn't take precautions for that.
>> A typical sessionid consists of 31 or so characters, ranging from:
>> 0-9 and a-z: that is 37 possibilities per character.
>>
>> So you'll end up with 37^31
>>
>> You might very well find that the chances of accidentically creating the
>> same sessionid are equal to the chance you win the lottery 100 times in a
>> row, without ever buying a ticket, but finding them on the street.
>>
>> So as far as I can see: there is no need to worry.
>>
>> Regards,
>> Erwin Moller
>>
>> PS: I don't think the IP address is of importance when creating a sessionid.
>
>
There are no absolutes in computers. All there are are probabilities.
You just have to lower the probabilities enough so that they aren't a
problem.
For a website with 37^31 possibilities, I would think anything 1B
hits/sec. should be sufficient.
If you want true security, you need to use irrational numbers (or
similar) for your key. Of course, an irrational number never ends and
never repeats, so you may have a hard time sending that value over the
connection.
Anything else can be duplicated.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|