perl-modperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: random token re-used in subsequent requests
Date Wed, 18 May 2016 07:12:17 GMT
On 18.05.2016 01:23, Vincent Veyron wrote:
> On Tue, 17 May 2016 20:41:28 +0200
> demerphq <demerphq@gmail.com> wrote:
>>
>> If you fork before you call (s)rand then each child process will have
>> their own copy of the flag, which will be false, and thus will cause
>> srand() to be called in the subprocess properly.
>>
>
> So now I'm lost : I understand this as meaning that one should _not_ call srand in mod_perl,
since each child process is forked by Apache?
>
> In any case, I tried to use srand per André's suggestion and your other post:
>
>          my $seed = time ^ $$ ;
>          srand($seed);

No, this will re-seed it every time, which is also not the point.
The explicit call to srand(), in any given child, should happen only once.
Maybe you can try a BEGIN block. If I remember correctly, under mod_perl (if you run under

"registry" to keep the compiled cgi-bin in memory), a BEGIN block should be run only once,

when the script is first compiled (by this child).

Now, "demerphg" says that this is all not valid, according to the perl source - which he 
consulted and I did not - so it is only my own best guess.
But it is not very expensive to try.

>          my $token = pack "LC*", time, map int rand 256, 1..32 ;
>          my $session_id = encode_base64($token);
>
> It does not solve the problem : the same key is regenerated several times, I suppose
because time is in seconds, and the machine serves 40 requests/second, so the seed gets reused?
>
> I tried using /dev/random, but this dies after two requests
>
>          my $seed;
>          open(RAND, "/dev/random") or die "no /dev/random?\n";
>          read (RAND, $seed, 4);
>          close(RAND);
> 	srand(unpack("L", $seed));
>
> Many posts on the web suggest using modules such as Math::Random. If I have to install
additional modules, I'd prefer to use the Debian packaging system, for maintenance reasons.
Is libcrypt-random-seed-perl a possibility?
>
> Still don't understand why the problem does not show up in the other machines, no matter
what I throw at them.
>
>


Mime
View raw message