[albatross-users] ModularSessionFileApp and windows
Andrew McNamara
andrewm at object-craft.com.au
Fri Apr 5 18:56:28 EST 2002
>Has anyone used ModularSessionFileApp on a windows platform?
I haven't been able to test it there yet. Sorry.
>I have had to do the following to make it work.
>
>in sessionfile.py
>add : import struct
>
>in albatross directory
>rename random.py to Random.py
>
>in albatross __init__.py
>
>change
>from random import *
>to
>from Random import *
>
>Hope this helps,
Ouch. Yes, it does. I'll try to come up with a permanent fix before the
next release (which probably won't be for a while yet).
I have some concerns about the use of the "random" module for generating
session keys: they're seeded from the real-time clock, which means an
attacker can make a close guess at when a session was started (within
a minute or so), and they can then brute-force guess the session ID.
All the other web tools I've looked at share this problem, but that
doesn't make it any less serious.
--
Andrew McNamara, Senior Developer, Object Craft
http://www.object-craft.com.au/
More information about the Albatross-users
mailing list