durusmail: quixote-users: Re: Session Security: Selectively Disable CHECK_SESSION_ADDR
To 3 or not to 3
2006-06-23
R J Ladyman
Re: To 3 or not to 3
2006-06-25
Neil Schemenauer
Session Security: Selectively Disable CHECK_SESSION_ADDR
2006-06-29
Charles
Re: Session Security: Selectively Disable CHECK_SESSION_ADDR
2006-06-29
Neil Schemenauer
2006-06-29
Charles
2006-06-29
Mike Orr
2006-06-29
A.M. Kuchling
2006-06-29
David Binger
Re: Session Security: Selectively Disable CHECK_SESSION_ADDR
David Binger
2006-06-29
On Jun 29, 2006, at 2:51 PM, A.M. Kuchling wrote:

> On Thu, Jun 29, 2006 at 11:19:12AM -0700, Mike Orr wrote:
>> TurboGears signs the cookie using a hash.  I don't understand how
>> this
>> works, and the developer said he only did it because people insisted,
>> not because he thought it was more secure.  But I can dig up the
>> notes
>> and implementation if there's sufficient interest.
>
> Presumably this is to make the contents more random.  If you numbered
> sessions as 1,2,3,4,..., I might set my browser to try different
> numbers as my session ID and see what I could find.  (Especially for a
> high-value site like a bank!)  If the sequential integer is hashed
> with some secret, it becomes much harder to guess another user's
> session ID.

I think high-quality random number generator produces values
that are equally difficult to guess.  I don't see how the hash
would improve this.

Hashing a small integer with a secret may actually be less
secure since the security of all of the resulting hash ids will
fail if the secret is guessed or stolen.
reply