generating a session id

[ioneabu]

I have been using Apache:Session:MySQL for generating session ids in my
attempts at creating a secure login environment on the web where once
the users id is validated, a session id is generated which is passed
from page to page and is checked against the database at each page to
verify that it is legitimate and current. I think this is pretty much
the standard way to do it.

I realized that I was not using the other features of
Apache:Session:MySQL, just creating a big random string to be used as a
session id. Since I know how to insert a big random string into a
database, I thought I could skip using this module altogether and just
make up my own session id:

#!/usr/bin/perl

use strict;
use warnings;

my $count = @ARGV ? int $ARGV[0]:10;
my @array;
my $c = 'a';
for (my $i=0;$i<26;$i++)
{
push @array, $c;
$c++;
}
$c ='0';
for (my $i=0;$i<10;$i++)
{
push @array, $c;
$c++;
}
my $out;
for (my $i=0;$i<$count;$i++)
{
$out .= $array[rand(36)];
}
print "$out\n";

As you can see, this simple program just creates a random string of
letters and digits of a length defined by $ARGV[0].

1) Is there a better or more interesting or more concise way to write
the above code?

2) Is there any reason i should still use Apache:Session:MySQL if all I
am doing with it is creating session ids?

Thanks!

wana

 

[Tad McClellan]

my $c = 'a';
for (my $i=0;$i<26;$i++)
{
push @array, $c;
$c++;
}
$c ='0';
for (my $i=0;$i<10;$i++)
{
push @array, $c;
$c++;
}

You can replace all of that code with this one line:

@array = ('a' .. 'z', 0 .. 9);

my $out;
for (my $i=0;$i<$count;$i++)
{
$out .= $array[rand(36)];
}
print "$out\n";

As you can see, this simple program just creates a random string of
letters and digits of a length defined by $ARGV[0].

1) Is there a better or more interesting or more concise way to write
the above code?

There *better* be a better way, as your approach does not
guarantee uniqueness.

How does your approach differ from simply using 1,2,3... as the ID?

 

[A. Sinan Unur]

(e-mail address removed) wrote in @c13g2000cwb.googlegroups.com:

I have been using Apache:Session:MySQL for generating session ids in my
....

I realized that I was not using the other features of
Apache:Session:MySQL, just creating a big random string to be used as a
session id. Since I know how to insert a big random string into a
database, I thought I could skip using this module altogether and just
make up my own session id:

There is more to creating a hard to guess session id. If I were you, I
would have looked at the Apache::Session module to see how it is done.

#!/usr/bin/perl

use strict;
use warnings;

my $count = @ARGV ? int $ARGV[0]:10;
my @array;
my $c = 'a';
for (my $i=0;$i<26;$i++)
{
push @array, $c;
$c++;
}

Even when your code is worthless, please make the effort to present it in a
decent format: Properly indenting your code could do wonders in eliciting
friendlier responses at least from this particular reader.

 

[A. Sinan Unur]

#!/usr/bin/perl

use strict;
use warnings;

my $count = @ARGV ? int $ARGV[0]:10;
my @array;
my $c = 'a';
for (my $i=0;$i<26;$i++)
{
push @array, $c;
$c++;
}

Even when your code is worthless,

Sorry, forgot to point out why:


use warnings;
use strict;

my @array = 'a' .. 'z';
push @array, '0' .. '9';
print @array;

__END__

 

[ioneabu]

Sorry about lack of indenting. 'Worthless' is a strong criticism for a
simple piece of code which works even if it is ugly. A google groups
search reveals that code is rarely referred to as worthless in
comp.lang.perl.misc. In fact, you have never called a piece of code
worthless in this group until this post. I don't know if I should feel
shamed or honored.
Wouldn't

my @array = ('a' .. 'z', '0' .. '9');

work also?

 

[ioneabu]

I should clarify. I would create the id, and then query the MySQL
table of existing ids to see if the one created already exists
(unlikely but possible). If it already exists, I would just create
another and repeat until I have a unique id. It is unlikely that this
will go on for long with my long, randomly generated id strings. The
reason for not using 123 is the same reason for not using a simple
password. Someone might start trying to get in on a current session by
guessing a valid id. Thanks for @array = ('a' .. 'z', 0 .. 9); I am
now beating myself with a stick for not thinking of that myself.
That's the problem with Perl, you can't hide your code away in compiled
classes where no one can see what a mess it is


Thanks!

wana

 

[ioneabu]

I implemented the session id idea into my present code, keeping the
interface of my subs the same but only changing the implementation and
it worked perfectly. The calling code has no idea it is no longer
dealing with Apache:Session:MySQL. It can request a new session,
validate a current session, or delete an ended session. The MySQL
sessions table still looks the same, just that the a_session column is
unused (I wasn't really using it anyway). The id that I am generating
with:

sub make_sess_id
{
my $count=32;
my @array=('a' .. 'z', '0' .. '9'); #thanks for help here!
my $out;
for (my $i=0;$i<$count;$i++) {$out .= $array[rand(36)]}
return $out;
}

appear identical to the ones Apache:Session:MySQL was creating. I
will look at their implementation later when I get a chance.

wana

 

[A. Sinan Unur]

(e-mail address removed) wrote in @f14g2000cwb.googlegroups.com:

I implemented the session id idea into my present code, keeping the
interface of my subs the same but only changing the implementation and
it worked perfectly.

I guess you entertain a more interesting notion of perfect.

sub make_sess_id
{
my $count=32;
my @array=('a' .. 'z', '0' .. '9'); #thanks for help here!
my $out;
for (my $i=0;$i<$count;$i++) {$out .= $array[rand(36)]}
return $out;
}

Indent you code!

appear identical to the ones Apache:Session:MySQL was creating.

As we all know, appearances can be deceptive.

I will look at their implementation later when I get a chance.

In the mean time, pray a lot.

 

[ioneabu]

#!/usr/bin/perl

use strict;
use warnings;
use Digest::MD5;

#Their way
my $length = 32;
print substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}.
rand(). $$)), 0, $length),"\n";

#my way
my @array = ('a' .. 'z', '0' .. '9');
my $out;
for (my $i=0;$i<$length;$i++) {$out .= $array[rand(36)]}
print "$out\n";

The first method is from Apache:Session:MySQL. Why is it any better
than my version for generating a random 32 character string? If it's a
big difference in 'randomness' I could just use their way to generate
my ids. I still don't need the whole implementation of
Apache:Session:MySQL for my current purposes. If their is no
significant difference in the secure randomness of the generated
strings, I prefer not to use extra modules unnecessarily.
Thanks!

wana

 

[ioneabu]

And they're not even using the whole alphabet! Just hex. I use a-z
and 0-9

 

[xhoster]

#!/usr/bin/perl

use strict;
use warnings;
use Digest::MD5;

#Their way
my $length = 32;
print substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}.
rand(). $$)), 0, $length),"\n";

#my way
my @array = ('a' .. 'z', '0' .. '9');
my $out;
for (my $i=0;$i<$length;$i++) {$out .= $array[rand(36)]}
print "$out\n";

The first method is from Apache:Session:MySQL. Why is it any better
than my version for generating a random 32 character string? If it's a
big difference in 'randomness'

Yep, that is what it is. Although I'm not sure how big the
difference is.

I could just use their way to generate
my ids. I still don't need the whole implementation of
Apache:Session:MySQL for my current purposes.

Until the next time you need something which you will implement
yourself using their code. And then the next time. And the time
after that. And then eventually you have copied the entire module
into your code in a haphazard fashion. Well, it is something
to think about anyway.

Xho

 

[Uri Guttman]

i> And they're not even using the whole alphabet! Just hex. I use a-z
i> and 0-9

ENOCLUE

even with the smiley.

uri

 

[A. Sinan Unur]

(e-mail address removed) wrote in @f14g2000cwb.googlegroups.com:

The first method is from Apache:Session:MySQL. Why is it any better
than my version for generating a random 32 character string?

How old are you? I would like to know because the statement above could be
tolerated if you were too young to get a driver's license. So, if you could
confirm that, I would explain it at length taking into account that you are
a youngster who does not know any better.

You can read about what MD5 and think real hard about how Apache::Session
mixes information from various sources.

Anyway, see also

http://search.cpan.org/~sherzodr/CGI-Session-3.95/Session.pm

I could just use their way to generate my ids. I still
don't need the whole implementation of Apache:Session:MySQL
for my current purposes. If their is no significant difference
in the secure randomness of the generated strings, I prefer not
to use extra modules unnecessarily.

It sounds like you are under the impression that I care what you use. I
don't. It is for others' benefit that I feel obliged to point out that what
you regard as an achievement is, in fact, not.

(e-mail address removed) wrote in @f14g2000cwb.googlegroups.com:

And they're not even using the whole alphabet! Just hex. I use a-z
and 0-9

It looks like you misunderstood the source.

Sinan.

 

[ioneabu]

(e-mail address removed) wrote in @f14g2000cwb.googlegroups.com:


How old are you? I would like to know because the statement above could be
tolerated if you were too young to get a driver's license. So, if you could
confirm that, I would explain it at length taking into account that you are
a youngster who does not know any better.

You can read about what MD5 and think real hard about how Apache::Session
mixes information from various sources.

Anyway, see also

http://search.cpan.org/~sherzodr/CGI-Session-3.95/Session.pm


It sounds like you are under the impression that I care what you use. I
don't. It is for others' benefit that I feel obliged to point out that what
you regard as an achievement is, in fact, not.

(e-mail address removed) wrote in @f14g2000cwb.googlegroups.com:


It looks like you misunderstood the source.

Sinan.

Great, I ask a simple question and get attacked personally by a big
Cornell Economics professor. Sorry to ask such stupid questions,
'doctor'. Boy, am I glad I'm not in your class!

 

[Uri Guttman]

i> Great, I ask a simple question and get attacked personally by a big
i> Cornell Economics professor. Sorry to ask such stupid questions,
i> 'doctor'. Boy, am I glad I'm not in your class!

ok, i will attack for that stupid and infantile response. you haven't
listened to a word of what people have said. you have shown no
inclination to actually understand the tricky issues regarding making a
session key. this attitude of yours (and yes it is hard to isolare a
comment about your attitude from 'you') is leading you to be a very bad
programmer. is that the type of student of computer stuff that you want
to be? i wouldn't want to be your teacher, it will be like talking to a
wall that knows nothing.

uri

 

[ioneabu]

I have made an effort to understand a process by exploring it in its
most basic form, as if I had to create for the first time. Of course
my simple minded code is not as good as the real thing, but why? There
have been some intelligent and thought provoking responses from others,
which I greatly appreciate. If you don't have an interesting response,
how about a link?

 

[A. Sinan Unur]

(e-mail address removed) wrote in @z14g2000cwz.googlegroups.com:

Great, I ask a simple question and get attacked personally by a big
Cornell Economics professor. Sorry to ask such stupid questions,
'doctor'. Boy, am I glad I'm not in your class!

Please don't put yourself in the same category as the people who pay my
salary, who show up in my classes day after day, who do the homeworks I
assign and who sweat my exams. Those people deserve and get quality
individual attention and all the help I can provide and still realize that
they are making an investment in their intellectual capital. In most cases,
they realize having answers spoon-fed actually reduces the returns on that
investment.

In case you were curious, I am just as elated as you are that you are not
in my class. I hate failing people.

The fact that I hold a number of degrees etc is completely irrelevant here
which is why you cannot find them mentioned anywhere other than my Cornell
home page where it is appropriate to mention them.

You did not ask a simple question. Such a question might have been
something along the lines of "What is a good way of generating session
ids?"

Instead, you came up with a bad method, demonstrated that you had not
actually researched the issue at all and proceeded to make fun of the
proper method without having understood what it does. That is infantile.

Information on how to generate session id's in a way that makes it
difficult for some cracker to guess current and valid session id's is
readily available.

Of course, you do not need to use Apache::Session::MySQL just to generate
session ids. You could just use the module that package depends on:

Apache::Session::Generate::MD5 (see http://tinyurl.com/5n65q)

 

[A. Sinan Unur]

(e-mail address removed) wrote in @f14g2000cwb.googlegroups.com:

If you don't have an interesting response, how about a link?

Have you heard of Google?

 

[ioneabu]

I see your point. I was wrong to respond the way I did. I really do
want to be a great Perl programmer. I did learn a valuable lesson
today. There is a lot to be learned in the code of cpan modules. I
will study the code of the masters and do my best to understand it
before posting another dumb, poorly worded question. Thanks for still
taking the effort to help me out even after I was so disrespectful.
Sorry.

wana

 

[ioneabu]

http://userpages.umbc.edu/~mabzug1/cs/md5/md5.html

The unofficial MD5 home page has information on collision weakness of
MD5. This could be a potential security risk since, hypothetically, an
attacker could calculate a collision pair and use that information to
get a working session id illegitimately. If the point of using MD5 is
to ensure a unique value for the session id, it would seem that
querying the database table of session ids to ensure that a new id is
unique prior to entering it in the table would be a good idea.