Vulnerability Development mailing list archives
Re: php / phplib session-id generation
From: Kevin Fu <fubob () MIT EDU>
Date: Thu, 05 Jul 2001 11:24:44 -0400
Speaking of sessionID generation... My research group recently published a document on good design practices and reverse engineering of Web client authentication schemes (e.g., authenticators in URLs and cookies). If you have stories about problems in Web client authentication, we'd love to document them. The technical report is on: http://cookies.lcs.mit.edu/ A shorter version of the document will be presented at the USENIX Security Symposium in August. The document includes a story about session IDs and linear congruential number generators... -Kevin
I just had a quick peek so the following 'information' is based on first impressions and is probably full of errors. I hope this could stir up some discussion about session id generation / using timeofday as random seed/value etc. (or could somebody point me to some references).
-------- Kevin E. Fu (fubob () mit edu) PGP key: https://snafu.fooworld.org/~fubob/pgp.html
Current thread:
- php / phplib session-id generation Jarno Huuskonen (Jul 05)
- Re: php / phplib session-id generation Jose Nazario (Jul 05)
- Re: php / phplib session-id generation Kevin Fu (Jul 05)