[Catalyst] Duplicate session ids
Perrin Harkins
perrin at elem.com
Sat May 26 23:24:42 GMT 2007
On 5/26/07, Jonathan Rockway <jon at jrock.us> wrote:
> Please keep in mind that by "rare", he means that you would have to generate
> 2317195645184714165087019331424 sessions per second for 10000000000 years in
> order to have a 50% chance of colliding with an existing session.
Or you could have it happen on the first try. It's just probability.
If duplicate session IDs are a major concern for your application,
generating them from mod_unique_id or a database sequence should
prevent the possibility, and verifying your cookies with a MAC of some
kind will prevent people from taking advantage of predictable IDs.
It doesn't sound like this is the problem Bill was talking about though.
- Perrin
More information about the Catalyst
mailing list