[albatross-users] ModularSessionFileApp and windows
Tim Churches
tchur at optushome.com.au
Fri Apr 5 21:35:54 EST 2002
Andrew McNamara wrote:
>
>
> I have some concerns about the use of the "random" module for generating
> session keys: they're seeded from the real-time clock, which means an
> attacker can make a close guess at when a session was started (within
> a minute or so), and they can then brute-force guess the session ID.
>
> All the other web tools I've looked at share this problem, but that
> doesn't make it any less serious.
On Linux and BSD at least, wouldn't it be possible to read some random
bytes from /dev/random or /dev/urandom each time a session key was
required? My understanding is that these devices collect random bytes
from noise on the system bus or somesuch. It is the diesel engines which
makes buses noisy, isn't it?
Tim C
More information about the Albatross-users
mailing list