Re: php / phplib session-id generation

[Kevin Fu <fubob () MIT EDU>]

Speaking of sessionID generation...

My research group recently published a document on good design
practices and reverse engineering of Web client authentication schemes
(e.g., authenticators in URLs and cookies).  If you have stories about
problems in Web client authentication, we'd love to document them.
The technical report is on:

http://cookies.lcs.mit.edu/

A shorter version of the document will be presented at the USENIX
Security Symposium in August.

The document includes a story about session IDs and linear
congruential number generators...

-Kevin

> I just had a quick peek so the following 'information' is based on first
> impressions and is probably full of errors. I hope this could stir up
> some discussion about session id generation / using timeofday as random
> seed/value etc. (or could somebody point me to some references).

--------
Kevin E. Fu (fubob () mit edu)
PGP key: https://snafu.fooworld.org/~fubob/pgp.html