27 Nov
2001
27 Nov
'01
8:27 p.m.
Chris McDonough writes:
It's very cost effective to integrate a hash and a secret: It does cost nearly nothing for you, the maintainer of CoreSessions and it really costs nothing besides a few CPU cycles for the sites using it. But it makes it *much* harder for potential attackers to go for a session id. So I think it should be done:)
OK, so do you recommend that I just use a shared secret string to obfuscate the session id? Under my Linux (SuSE Linux 7.1), the random number generator is initialized on first installation and saved/restored across restarts. This means, its state is very random and could be used as secret.
Not sure, how other OSes handle this issue.... Dieter