generating a session id

Discussion in 'Perl Misc' started by ioneabu@yahoo.com, Dec 20, 2004.

  1. Guest

    I have been using Apache:Session:MySQL for generating session ids in my
    attempts at creating a secure login environment on the web where once
    the users id is validated, a session id is generated which is passed
    from page to page and is checked against the database at each page to
    verify that it is legitimate and current. I think this is pretty much
    the standard way to do it.

    I realized that I was not using the other features of
    Apache:Session:MySQL, just creating a big random string to be used as a
    session id. Since I know how to insert a big random string into a
    database, I thought I could skip using this module altogether and just
    make up my own session id:

    #!/usr/bin/perl

    use strict;
    use warnings;

    my $count = @ARGV ? int $ARGV[0]:10;
    my @array;
    my $c = 'a';
    for (my $i=0;$i<26;$i++)
    {
    push @array, $c;
    $c++;
    }
    $c ='0';
    for (my $i=0;$i<10;$i++)
    {
    push @array, $c;
    $c++;
    }
    my $out;
    for (my $i=0;$i<$count;$i++)
    {
    $out .= $array[rand(36)];
    }
    print "$out\n";

    As you can see, this simple program just creates a random string of
    letters and digits of a length defined by $ARGV[0].

    1) Is there a better or more interesting or more concise way to write
    the above code?

    2) Is there any reason i should still use Apache:Session:MySQL if all I
    am doing with it is creating session ids?

    Thanks!

    wana
     
    , Dec 20, 2004
    #1
    1. Advertising

  2. <> wrote:

    > my $c = 'a';
    > for (my $i=0;$i<26;$i++)
    > {
    > push @array, $c;
    > $c++;
    > }
    > $c ='0';
    > for (my $i=0;$i<10;$i++)
    > {
    > push @array, $c;
    > $c++;
    > }



    You can replace all of that code with this one line:

    @array = ('a' .. 'z', 0 .. 9);


    > my $out;
    > for (my $i=0;$i<$count;$i++)
    > {
    > $out .= $array[rand(36)];
    > }
    > print "$out\n";
    >
    > As you can see, this simple program just creates a random string of
    > letters and digits of a length defined by $ARGV[0].
    >
    > 1) Is there a better or more interesting or more concise way to write
    > the above code?



    There *better* be a better way, as your approach does not
    guarantee uniqueness.

    How does your approach differ from simply using 1,2,3... as the ID?


    --
    Tad McClellan SGML consulting
    Perl programming
    Fort Worth, Texas
     
    Tad McClellan, Dec 20, 2004
    #2
    1. Advertising

  3. wrote in news:1103581061.893725.116120
    @c13g2000cwb.googlegroups.com:

    > I have been using Apache:Session:MySQL for generating session ids in my


    ....

    > I realized that I was not using the other features of
    > Apache:Session:MySQL, just creating a big random string to be used as a
    > session id. Since I know how to insert a big random string into a
    > database, I thought I could skip using this module altogether and just
    > make up my own session id:



    There is more to creating a hard to guess session id. If I were you, I
    would have looked at the Apache::Session module to see how it is done.

    > #!/usr/bin/perl
    >
    > use strict;
    > use warnings;
    >
    > my $count = @ARGV ? int $ARGV[0]:10;
    > my @array;
    > my $c = 'a';
    > for (my $i=0;$i<26;$i++)
    > {
    > push @array, $c;
    > $c++;
    > }


    Even when your code is worthless, please make the effort to present it in a
    decent format: Properly indenting your code could do wonders in eliciting
    friendlier responses at least from this particular reader.

    --
    A. Sinan Unur
    d
    (remove '.invalid' and reverse each component for email address)
     
    A. Sinan Unur, Dec 20, 2004
    #3
  4. "A. Sinan Unur" <> wrote in
    news:Xns95C5B46DAD928asu1cornelledu@132.236.56.8:

    >> #!/usr/bin/perl
    >>
    >> use strict;
    >> use warnings;
    >>
    >> my $count = @ARGV ? int $ARGV[0]:10;
    >> my @array;
    >> my $c = 'a';
    >> for (my $i=0;$i<26;$i++)
    >> {
    >> push @array, $c;
    >> $c++;
    >> }

    >
    > Even when your code is worthless,


    Sorry, forgot to point out why:


    use warnings;
    use strict;

    my @array = 'a' .. 'z';
    push @array, '0' .. '9';
    print @array;

    __END__
    --
    A. Sinan Unur
    d
    (remove '.invalid' and reverse each component for email address)
     
    A. Sinan Unur, Dec 20, 2004
    #4
  5. Guest

    Sorry about lack of indenting. 'Worthless' is a strong criticism for a
    simple piece of code which works even if it is ugly. A google groups
    search reveals that code is rarely referred to as worthless in
    comp.lang.perl.misc. In fact, you have never called a piece of code
    worthless in this group until this post. I don't know if I should feel
    shamed or honored.
    Wouldn't

    my @array = ('a' .. 'z', '0' .. '9');

    work also?
     
    , Dec 20, 2004
    #5
  6. Guest

    I should clarify. I would create the id, and then query the MySQL
    table of existing ids to see if the one created already exists
    (unlikely but possible). If it already exists, I would just create
    another and repeat until I have a unique id. It is unlikely that this
    will go on for long with my long, randomly generated id strings. The
    reason for not using 123 is the same reason for not using a simple
    password. Someone might start trying to get in on a current session by
    guessing a valid id. Thanks for @array = ('a' .. 'z', 0 .. 9); I am
    now beating myself with a stick for not thinking of that myself.
    That's the problem with Perl, you can't hide your code away in compiled
    classes where no one can see what a mess it is :)


    Thanks!

    wana
     
    , Dec 20, 2004
    #6
  7. Guest

    I implemented the session id idea into my present code, keeping the
    interface of my subs the same but only changing the implementation and
    it worked perfectly. The calling code has no idea it is no longer
    dealing with Apache:Session:MySQL. It can request a new session,
    validate a current session, or delete an ended session. The MySQL
    sessions table still looks the same, just that the a_session column is
    unused (I wasn't really using it anyway). The id that I am generating
    with:

    sub make_sess_id
    {
    my $count=32;
    my @array=('a' .. 'z', '0' .. '9'); #thanks for help here!
    my $out;
    for (my $i=0;$i<$count;$i++) {$out .= $array[rand(36)]}
    return $out;
    }

    appear identical to the ones Apache:Session:MySQL was creating. I
    will look at their implementation later when I get a chance.

    wana
     
    , Dec 21, 2004
    #7
  8. wrote in news:1103652860.452237.201220
    @f14g2000cwb.googlegroups.com:

    > I implemented the session id idea into my present code, keeping the
    > interface of my subs the same but only changing the implementation and
    > it worked perfectly.


    I guess you entertain a more interesting notion of perfect.

    > sub make_sess_id
    > {
    > my $count=32;
    > my @array=('a' .. 'z', '0' .. '9'); #thanks for help here!
    > my $out;
    > for (my $i=0;$i<$count;$i++) {$out .= $array[rand(36)]}
    > return $out;
    > }


    Indent you code!

    > appear identical to the ones Apache:Session:MySQL was creating.


    As we all know, appearances can be deceptive.

    > I will look at their implementation later when I get a chance.


    In the mean time, pray a lot.

    --
    A. Sinan Unur
    d
    (remove '.invalid' and reverse each component for email address)
     
    A. Sinan Unur, Dec 21, 2004
    #8
  9. Guest

    #!/usr/bin/perl

    use strict;
    use warnings;
    use Digest::MD5;

    #Their way
    my $length = 32;
    print substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}.
    rand(). $$)), 0, $length),"\n";

    #my way
    my @array = ('a' .. 'z', '0' .. '9');
    my $out;
    for (my $i=0;$i<$length;$i++) {$out .= $array[rand(36)]}
    print "$out\n";

    The first method is from Apache:Session:MySQL. Why is it any better
    than my version for generating a random 32 character string? If it's a
    big difference in 'randomness' I could just use their way to generate
    my ids. I still don't need the whole implementation of
    Apache:Session:MySQL for my current purposes. If their is no
    significant difference in the secure randomness of the generated
    strings, I prefer not to use extra modules unnecessarily.
    Thanks!

    wana
     
    , Dec 21, 2004
    #9
  10. Guest

    And they're not even using the whole alphabet! Just hex. I use a-z
    and 0-9 :)
     
    , Dec 21, 2004
    #10
  11. Guest

    wrote:
    > #!/usr/bin/perl
    >
    > use strict;
    > use warnings;
    > use Digest::MD5;
    >
    > #Their way
    > my $length = 32;
    > print substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}.
    > rand(). $$)), 0, $length),"\n";
    >
    > #my way
    > my @array = ('a' .. 'z', '0' .. '9');
    > my $out;
    > for (my $i=0;$i<$length;$i++) {$out .= $array[rand(36)]}
    > print "$out\n";
    >
    > The first method is from Apache:Session:MySQL. Why is it any better
    > than my version for generating a random 32 character string? If it's a
    > big difference in 'randomness'


    Yep, that is what it is. Although I'm not sure how big the
    difference is.

    > I could just use their way to generate
    > my ids. I still don't need the whole implementation of
    > Apache:Session:MySQL for my current purposes.


    Until the next time you need something which you will implement
    yourself using their code. And then the next time. And the time
    after that. And then eventually you have copied the entire module
    into your code in a haphazard fashion. Well, it is something
    to think about anyway.

    Xho

    --
    -------------------- http://NewsReader.Com/ --------------------
    Usenet Newsgroup Service $9.95/Month 30GB
     
    , Dec 21, 2004
    #11
  12. Uri Guttman Guest

    >>>>> "i" == ioneabu <> writes:

    i> And they're not even using the whole alphabet! Just hex. I use a-z
    i> and 0-9 :)

    ENOCLUE

    even with the smiley.

    uri

    --
    Uri Guttman ------ -------- http://www.stemsystems.com
    --Perl Consulting, Stem Development, Systems Architecture, Design and Coding-
    Search or Offer Perl Jobs ---------------------------- http://jobs.perl.org
     
    Uri Guttman, Dec 21, 2004
    #12
  13. wrote in news:1103668714.136707.223230
    @f14g2000cwb.googlegroups.com:

    > The first method is from Apache:Session:MySQL. Why is it any better
    > than my version for generating a random 32 character string?


    How old are you? I would like to know because the statement above could be
    tolerated if you were too young to get a driver's license. So, if you could
    confirm that, I would explain it at length taking into account that you are
    a youngster who does not know any better.

    You can read about what MD5 and think real hard about how Apache::Session
    mixes information from various sources.

    Anyway, see also

    http://search.cpan.org/~sherzodr/CGI-Session-3.95/Session.pm

    > I could just use their way to generate my ids. I still
    > don't need the whole implementation of Apache:Session:MySQL
    > for my current purposes. If their is no significant difference
    > in the secure randomness of the generated strings, I prefer not
    > to use extra modules unnecessarily.


    It sounds like you are under the impression that I care what you use. I
    don't. It is for others' benefit that I feel obliged to point out that what
    you regard as an achievement is, in fact, not.

    wrote in news:1103668886.899769.238400
    @f14g2000cwb.googlegroups.com:

    > And they're not even using the whole alphabet! Just hex. I use a-z
    > and 0-9 :)


    It looks like you misunderstood the source.

    Sinan.

    --
    A. Sinan Unur
    d
    (remove '.invalid' and reverse each component for email address)
     
    A. Sinan Unur, Dec 22, 2004
    #13
  14. Guest

    A. Sinan Unur wrote:
    > wrote in news:1103668714.136707.223230
    > @f14g2000cwb.googlegroups.com:
    >
    > > The first method is from Apache:Session:MySQL. Why is it any

    better
    > > than my version for generating a random 32 character string?

    >
    > How old are you? I would like to know because the statement above

    could be
    > tolerated if you were too young to get a driver's license. So, if you

    could
    > confirm that, I would explain it at length taking into account that

    you are
    > a youngster who does not know any better.
    >
    > You can read about what MD5 and think real hard about how

    Apache::Session
    > mixes information from various sources.
    >
    > Anyway, see also
    >
    > http://search.cpan.org/~sherzodr/CGI-Session-3.95/Session.pm
    >
    > > I could just use their way to generate my ids. I still
    > > don't need the whole implementation of Apache:Session:MySQL
    > > for my current purposes. If their is no significant difference
    > > in the secure randomness of the generated strings, I prefer not
    > > to use extra modules unnecessarily.

    >
    > It sounds like you are under the impression that I care what you use.

    I
    > don't. It is for others' benefit that I feel obliged to point out

    that what
    > you regard as an achievement is, in fact, not.
    >
    > wrote in news:1103668886.899769.238400
    > @f14g2000cwb.googlegroups.com:
    >
    > > And they're not even using the whole alphabet! Just hex. I use

    a-z
    > > and 0-9 :)

    >
    > It looks like you misunderstood the source.
    >
    > Sinan.
    >
    > --
    > A. Sinan Unur
    > d
    > (remove '.invalid' and reverse each component for email address)


    Great, I ask a simple question and get attacked personally by a big
    Cornell Economics professor. Sorry to ask such stupid questions,
    'doctor'. Boy, am I glad I'm not in your class!
     
    , Dec 22, 2004
    #14
  15. Uri Guttman Guest

    >>>>> "i" == ioneabu <> writes:

    i> Great, I ask a simple question and get attacked personally by a big
    i> Cornell Economics professor. Sorry to ask such stupid questions,
    i> 'doctor'. Boy, am I glad I'm not in your class!

    ok, i will attack for that stupid and infantile response. you haven't
    listened to a word of what people have said. you have shown no
    inclination to actually understand the tricky issues regarding making a
    session key. this attitude of yours (and yes it is hard to isolare a
    comment about your attitude from 'you') is leading you to be a very bad
    programmer. is that the type of student of computer stuff that you want
    to be? i wouldn't want to be your teacher, it will be like talking to a
    wall that knows nothing.

    uri

    --
    Uri Guttman ------ -------- http://www.stemsystems.com
    --Perl Consulting, Stem Development, Systems Architecture, Design and Coding-
    Search or Offer Perl Jobs ---------------------------- http://jobs.perl.org
     
    Uri Guttman, Dec 22, 2004
    #15
  16. Guest

    I have made an effort to understand a process by exploring it in its
    most basic form, as if I had to create for the first time. Of course
    my simple minded code is not as good as the real thing, but why? There
    have been some intelligent and thought provoking responses from others,
    which I greatly appreciate. If you don't have an interesting response,
    how about a link?
     
    , Dec 22, 2004
    #16
  17. wrote in news:1103684706.646202.74540
    @z14g2000cwz.googlegroups.com:

    > Great, I ask a simple question and get attacked personally by a big
    > Cornell Economics professor. Sorry to ask such stupid questions,
    > 'doctor'. Boy, am I glad I'm not in your class!


    Please don't put yourself in the same category as the people who pay my
    salary, who show up in my classes day after day, who do the homeworks I
    assign and who sweat my exams. Those people deserve and get quality
    individual attention and all the help I can provide and still realize that
    they are making an investment in their intellectual capital. In most cases,
    they realize having answers spoon-fed actually reduces the returns on that
    investment.

    In case you were curious, I am just as elated as you are that you are not
    in my class. I hate failing people.

    The fact that I hold a number of degrees etc is completely irrelevant here
    which is why you cannot find them mentioned anywhere other than my Cornell
    home page where it is appropriate to mention them.

    You did not ask a simple question. Such a question might have been
    something along the lines of "What is a good way of generating session
    ids?"

    Instead, you came up with a bad method, demonstrated that you had not
    actually researched the issue at all and proceeded to make fun of the
    proper method without having understood what it does. That is infantile.

    Information on how to generate session id's in a way that makes it
    difficult for some cracker to guess current and valid session id's is
    readily available.

    Of course, you do not need to use Apache::Session::MySQL just to generate
    session ids. You could just use the module that package depends on:

    Apache::Session::Generate::MD5 (see http://tinyurl.com/5n65q)

    --
    A. Sinan Unur
    d
    (remove '.invalid' and reverse each component for email address)
     
    A. Sinan Unur, Dec 22, 2004
    #17
  18. wrote in news:1103690744.041045.156420
    @f14g2000cwb.googlegroups.com:

    > If you don't have an interesting response, how about a link?


    Have you heard of Google?

    --
    A. Sinan Unur
    d
    (remove '.invalid' and reverse each component for email address)
     
    A. Sinan Unur, Dec 22, 2004
    #18
  19. Guest

    I see your point. I was wrong to respond the way I did. I really do
    want to be a great Perl programmer. I did learn a valuable lesson
    today. There is a lot to be learned in the code of cpan modules. I
    will study the code of the masters and do my best to understand it
    before posting another dumb, poorly worded question. Thanks for still
    taking the effort to help me out even after I was so disrespectful.
    Sorry.

    wana
     
    , Dec 22, 2004
    #19
  20. Guest

    http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html

    The unofficial MD5 home page has information on collision weakness of
    MD5. This could be a potential security risk since, hypothetically, an
    attacker could calculate a collision pair and use that information to
    get a working session id illegitimately. If the point of using MD5 is
    to ensure a unique value for the session id, it would seem that
    querying the database table of session ids to ensure that a new id is
    unique prior to entering it in the table would be a good idea.
     
    , Dec 22, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Andreas Klemt
    Replies:
    1
    Views:
    465
    Steve C. Orr, MCSD
    Jul 23, 2003
  2. Jeff Smythe
    Replies:
    3
    Views:
    1,326
    Jeff Smythe
    Jan 2, 2004
  3. A
    Replies:
    5
    Views:
    485
  4. =?Utf-8?B?Um9iSEs=?=
    Replies:
    4
    Views:
    5,424
    =?Utf-8?B?Um9iSEs=?=
    Apr 11, 2007
  5. Jazzis
    Replies:
    2
    Views:
    279
    Jazzis
    Sep 23, 2003
Loading...

Share This Page