Session ID & Security
Paul Rubin
phr-n2002b at NOSPAMnightsong.com
Wed Jul 17 01:39:04 EDT 2002
Paul Rubin <phr-n2002b at NOSPAMnightsong.com> writes:
> Here's a simple way: pick some secret, unguessable, constant string, like
> "H5LV9-GRDP5-9FG5T-HLUDN". Call it K.
>
> Now to generate an authentication cookie, simply compute the HMAC of
> some session identifier, along with some non-repeating data. For
> example, let S = the username + IP address + exact login time and the
> auth cookie is the HMAC of S with key K.
Actually, rather than mess with this stuff it's simpler (and
preferable) to use a securely generated random string as the session
ID, if you can manage it. Unfortunately there's no
platform-independent way to do it. Linux and *BSD systems provide a
system device for the purpose of supplying secure random strings.
Cygwin also simulates this device on Windows using the Windows CAPI
cryptGenRandom function. It's on various people's todo list to write
an extension module that lets non-Cygwin Windows users do something
similar.
If you're using Linux or *BSD, writing something like:
from binascii import hexlify
def gen_session_id():
return hexlify(open("/dev/urandom").read(16))
should return a thoroughly unguessable 32-digit hex number without
your having to mess around with HMAC, generating unique initial state,
maintaining secret magic constants in your code, etc.
This is the way to go if it works for you.
More information about the Python-list
mailing list