开发者

How are session identifiers generated?

Most web applications depend on some kind of session with the user (for instance, to retain login status). The session id is kept as a cookie in the user's browser and sent with every request.

To make it hard to guess the next user's session these session-ids need to be sparse and somewhat random. The also have to be unique.

The question is - how to efficiently generate session ids that are sparse and unique?

This question has a good answer for unique random numbers, but it seems not scalable for a large range of numbers, simply because the array will end up taking a lot of memory.

EDIT:

  • GUIDs开发者_开发问答 are considered unsafe as far as security (and randomness) go.
  • The core problem is making sure the numbers are unique, i.e. they don't repeat and making it efficient.


If you want them to be unique and not easily guessable, why not combine these?

Take a counter (generates unique value for new session) and append random bits generated by a CSPRNG. Make sure to get the minimum number of bits required right.

This should work on a farm as well without hitches: just prefix the counter that is local to a server with an id that is unique to that server.

SSSSCCCCCRRRRRR

Where S is server id that created the session, C is the server local counter and R is a crypto random.

(Disclaimer: the number of letters do not correspond to the number of digits/bits you should use in any way. :)

Unique, secure.


You could take a look at the RNGCryptoServiceProvider if you are using .NET.

http://www.informit.com/guides/content.aspx?g=dotnet&seqNum=775

This is a cryptographically secure way of generating random numbers.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜