durusmail: quixote-users: session change
session change
2002-04-29
Jonathan Corbet
2002-04-29
Neil Schemenauer
2002-04-29
Jonathan Corbet
2002-04-29
Neil Schemenauer
2002-05-06
Greg Ward
2002-05-06
Jonathan Corbet
2002-05-06
Greg Ward
session change
Jonathan Corbet
2002-04-29
I'm just now getting around to upgrading past 0.4.4.  One of the changes
there has bit me slightly:

        Changed format of session cookies: they're now just random 64-bit
        numbers in hex.

Was there a reason for that change?  I had put together a tweaked session
manager that compared the IP address in the session cookie against the
actual source of the request as a (paranoid, I'm sure) way of defending
against sniff-and-playback attacks.  Obviously, my checking code isn't
happy with the new cookies :).

It's not a big problem, I can think of at least a couple ways of working
around the change.  But I was curious about what motivated it?

(BTW, if anybody's curious about what I'm doing, see lwn.net:8088.  I'd
love to hear comments, but please don't put up any links to the site.)

jon

Jonathan Corbet
Executive editor, LWN.net
corbet@lwn.net
reply