Session ID & Security
Erno Kuusela
erno-news at erno.iki.fi
Wed Jul 17 08:33:02 EDT 2002
In article <ah1e6m$2c0$00$1 at news.t-online.com>, Jan Felix Reuter
<thefogger at web.de> writes:
| Now I'm concerned about security, because with this sheme an attacker could
| easily get access to a user's session by just guessing its ID. After some
| research I found out about Message Authentication Codes and the hmac python
| module. How does one use it? Do I apply the algorithm to every message (cgi
| output?) and place the hash in another cookie or appended to the session ID
| string? So, if the client sends back a hash that differs from the last hash
| the server has send, the session is discarded, is that how you do it?
one way to do it would be:
pick a secret key (random string) that is known only to your cgi program.
generate a regular session identifier (for example incrementing number,
or whatever).
use session-id-plaintext + hmac(key, session-id-plaintext) as
session id.
when you have an incoming http request, split it into the
session-id-plaintext and session-id parts, and see if the hmac
matches.
iow, you only have to hash the session id itself.
-- erno
More information about the Python-list
mailing list