Return-Path: Delivered-To: apmail-perl-embperl-archive@www.apache.org Received: (qmail 96463 invoked from network); 15 Nov 2004 18:24:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 15 Nov 2004 18:24:47 -0000 Received: (qmail 13011 invoked by uid 500); 15 Nov 2004 18:24:45 -0000 Delivered-To: apmail-perl-embperl-archive@perl.apache.org Received: (qmail 12897 invoked by uid 500); 15 Nov 2004 18:24:45 -0000 Mailing-List: contact embperl-help@perl.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Delivered-To: mailing list embperl@perl.apache.org Received: (qmail 12825 invoked by uid 99); 15 Nov 2004 18:24:44 -0000 X-ASF-Spam-Status: No, hits=0.1 required=10.0 tests=DNS_FROM_RFC_ABUSE X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from [199.46.199.232] (HELO dfw-gate3.raytheon.com) (199.46.199.232) by apache.org (qpsmtpd/0.28) with ESMTP; Mon, 15 Nov 2004 10:24:40 -0800 Received: from ds02c01.directory.ray.com (ds02c01.directory.ray.com [147.25.138.115]) by dfw-gate3.raytheon.com (8.12.10/8.12.10) with ESMTP id iAFIOZ3w024746; Mon, 15 Nov 2004 12:24:36 -0600 (CST) Received: from ds02c01 (localhost [127.0.0.1]) by ds02c01.directory.ray.com (Switch-3.1.4/Switch-3.1.0) with ESMTP id iAFIOVpY010645; Mon, 15 Nov 2004 18:24:31 GMT Received: from ds02c01.directory.ray.com with LMTP by ds02c01 (2.0.6/sieved-2-0-build-559); Mon, 15 Nov 2004 18:24:31 +0000 Received: from dsblade00.wat.us.ray.com (dsblade00.wat.us.ray.com [138.126.125.63]) by ds02c01.directory.ray.com (Switch-3.1.4/Switch-3.1.0) with ESMTP id iAFIO7D1010436 sender edgrimm@dsblade00.wat.us.ray.com; Mon, 15 Nov 2004 18:24:07 GMT Received: from localhost (localhost [127.0.0.1]) by dsblade00.wat.us.ray.com (8.12.10/8.12.9) with ESMTP id iAFIO6gE019630; Mon, 15 Nov 2004 18:24:06 GMT Date: Mon, 15 Nov 2004 18:24:06 +0000 (GMT) From: Ed Grimm Sender: edgrimm@dsblade00.wat.us.ray.com Reply-To: Ed Grimm To: "'Embperl List'" cc: "'Stefan Cars'" Subject: RE: Sessions get mixed up ? In-Reply-To: <20041115132300.5B4D3DCA9F@lnx1.i.ecos.de> Message-ID: References: <20041115132300.5B4D3DCA9F@lnx1.i.ecos.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-SPAM: 0.00 X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N On Mon, 15 Nov 2004, Gerald Richter wrote: > Hi, > >> The problem is that this happens maybe once or twice a month (we have >> about 10-15 thousands login per day). So it's really hard to >> reproduce, and as far as I understand wouldn't the closure problem >> create this problem more often ?) > > Yes, the closure problem should create the problem more often. > > If it happens so seldom, it really might be a problem of generating > session ids. > > Apache::Session generates the id by doing a md5 hash on a random > number (time () . {} . Rand() . $$) , maybe there are situation where > it generates the same id (also this should normaly not happen). MD5 hash collisions very well could have that frequency, at that volume. How hard would it be to change the code to use a SHA or SSHA hash instead? (Admittedly, I'm picking a more cryptographically secure hash at psuedo-random; there may be one that's more appropriate.) Note that I realize they take longer to generate, but that time only happens at login, not per page view, and it should reduce the hash collision rate dramatically. Ed --------------------------------------------------------------------- To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org For additional commands, e-mail: embperl-help@perl.apache.org