[hunchentoot-devel] Sessions not secure?
Sohail Somani
sohail at taggedtype.net
Wed Dec 26 21:38:46 UTC 2007
On Wed, 26 Dec 2007 22:21:44 +0100, Edi Weitz wrote:
> On Wed, 26 Dec 2007 21:09:37 +0000 (UTC), Sohail Somani
> <sohail at taggedtype.net> wrote:
>
>> In reality, it looks like this:
>>
>> * (concatenate 'string *session-secret*
>> id user-agent ip-address time-of-session-start)
>
> And don't forget MD5. Even if the random number generator were weak,
> you'd have a hard time to figure out where in the random sequence you
> are, right?
Practically, yes. I think it still depends on the RNG and how much
knowledge I have of your server setup.
To me, the documentation makes it seem like there is no randomness
involved. I think it should mention that there is some randomness but the
quality of the security is dependent on the quality of the RNG. In any
case, Hunchentoot has done as close to an optimal job as is economical.
In my highly unqualified opinion of course (IMHUQO?) :-)
>> but I don't know enough about the Lisp random number generators to say.
>
> This is obviously implementation-dependent. Some Lisp implementations
> also offer more choices for random number generators, for example:
>
> http://www.lispworks.com/documentation/lw50/LWRM/html/lwref-326.htm
Thanks! I've been meaning to try LW but SBCL is very nice to me so far :-)
--
Sohail Somani
http://uint32t.blogspot.com
More information about the Tbnl-devel
mailing list