[Zope] FSSession problems...

[Curtis Maloney]

On Thu, 31 Aug 2000, Hung Jung Lu wrote:
> Curtis,
>
> Could you describe how often does the problem happen? How many session
> users goes to the site? You mentioned about a month of public usage. During
> that month, did you have one single incident? How many sessions happened
> during that month?
>
So far, we have one recorded incident, and one anecdotal (from internal) 
incident.  I am having some more extensive testing done soon, so we can try 
to pin down further the exact circumstances which cause this problem.

The site is used for issuing product return authorities, and so far, over 160 
RAs have been issued.  Yes, it is a fairly low traffic site.  Session data is 
retained between visits (a side effect, but a welcome one), so I really 
cannot be sure of how many sessions were used.

> All key-based session management systems are intrinsically unsafe, since
> other people can tap into your session, with non-zero probability, if the
> key-length is finite. The only hope is to make the key long enough, so even
> if the hacker has a supercomputer, it would still take him/her the age of
> the universe to crack into your website. One thing I mentioned to Pavlos
> (and/or Anthony Baxter?) before is that the key lengths of their cookies
> are a bit too short. For my HappySession product (another session
> management product, which is RAM based), I cranked up the key length to 128
> alphanumeric char key, exactly because I wanted no key collision for a long
> long time. :)
>
Well, yes and no.  This really depends on the sensitivity of your data, and 
how likely it is for someone to try to crack your site.  In this case, both 
are fairly low, so the key strength is fine, IMHO.

> regards,
>
> Hung Jung
>