Session ID & Security

[Paul Rubin]

Jan Felix Reuter <thefogger at web.de> writes:
> Now I'm concerned about security, because with this sheme an attacker could 
> easily get access to a user's session by just guessing its ID. After some 
> research I found out about Message Authentication Codes and the hmac python 
> module. How does one use it? Do I apply the algorithm to every message (cgi 
> output?) and place the hash in another cookie or appended to the session ID 
> string? So, if the client sends back a hash that differs from the last hash 
> the server has send, the session is discarded, is that how you do it?

Here's a simple way: pick some secret, unguessable, constant string, like
"H5LV9-GRDP5-9FG5T-HLUDN".  Call it K.  

Now to generate an authentication cookie, simply compute the HMAC of
some session identifier, along with some non-repeating data.  For
example, let S = the username + IP address + exact login time and the
auth cookie is the HMAC of S with key K.

Note that using shelve for holding session data shared between
multiple threads or processes is of dangerous unless you're using a
fancy dbm underneath (like Sleepycat).  Someone really should
implement a session management scheme sometime using shared memory
instead of messing around with stuff like shelve.

> Hashing all the output seems a bit overkill to me. Wouldn't a simple random 
> number suffice? I get the feeling that I misunderstood the whole MAC thing.

Maybe it's overkill, but you can never have too much overkill. ;-)