On Thu, 31 Aug 2000, Hung Jung Lu wrote:
Curtis,
Could you describe how often does the problem happen? How many session users goes to the site? You mentioned about a month of public usage. During that month, did you have one single incident? How many sessions happened during that month?
So far, we have one recorded incident, and one anecdotal (from internal) incident. I am having some more extensive testing done soon, so we can try to pin down further the exact circumstances which cause this problem. The site is used for issuing product return authorities, and so far, over 160 RAs have been issued. Yes, it is a fairly low traffic site. Session data is retained between visits (a side effect, but a welcome one), so I really cannot be sure of how many sessions were used.
All key-based session management systems are intrinsically unsafe, since other people can tap into your session, with non-zero probability, if the key-length is finite. The only hope is to make the key long enough, so even if the hacker has a supercomputer, it would still take him/her the age of the universe to crack into your website. One thing I mentioned to Pavlos (and/or Anthony Baxter?) before is that the key lengths of their cookies are a bit too short. For my HappySession product (another session management product, which is RAM based), I cranked up the key length to 128 alphanumeric char key, exactly because I wanted no key collision for a long long time. :)
Well, yes and no. This really depends on the sensitivity of your data, and how likely it is for someone to try to crack your site. In this case, both are fairly low, so the key strength is fine, IMHO.
regards,
Hung Jung