Results 1 to 2 of 2

Thread: Strengthening SessionCache.getNextSessionId

  1. #1
    Join Date
    May 2006
    Posts
    9
    Rep Power
    9

    Default Strengthening SessionCache.getNextSessionId

    The current code looks like:

    <pre>
    private synchronized static String getNextSessionId() {
    return Long.toString(sContextSeqNo++);
    }
    </pre>

    I suggest replacing it with something that takes the account Id as a parameter, then does the following pseudocode:

    1. Generate a large random number.
    2. Stringify it and prepend the account ID.
    3. If it's in the cache already, go back to step 1.
    4. Return.

    This will give the wonderful advantage of being able to pass sessionIDs back to the client without fearing that they'll be guessed by an attacker, especially when a servlet that doesn't use cookies is running.

  2. #2
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    Session Ids are useless without an authtoken, which is already cryptographically secure, and random. They are also tied to an authtoken, which means you can't take your authtoken and try to guess someone else's session id.
    Bugzilla - Wiki - Downloads - Before posting... Search!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •