HttpSession Key Generation Implementation

Question

HttpSession Key Generation Implementation

I am trying to implement the HttpSession key generation

I generate a random number from 1,000,000 to 9,999,999 and send it as a cookie to the user.

Can this process be made safe? anyone can make a random number like this and try to access my server ... maybe i need a wider range?

Another question: how can I generate a number that I haven't created yet? right now I am restoring every time this number is used, is it possible to do better?

+3

java security random cookies httpsession

user399950 Aug 08 '10 at 0:19

source share

3 answers

UUID. , UUID.randomUUID(). .

+3

spender 08 . '10 0:22

, . - ( , Java ):

random_number = rand(1000000, 9999999);
secret = "Some random text here";
timestamp = unix_timestamp(); // Get a UNIX timestamp
user_ip = users_ip(); // Get the user IP
setcookie("random_number", random_number); // Save the random number
setcookie("timestamp", timestamp);
setcookie("token", sha256(random_number + secret + timestamp + ip)); // Concat and hash everything to form a token

, , :

random_number = getcookie("random_number");
secret = "Some random text here";
timestamp = int(getcookie("timestamp"));
user_ip = users_ip(); // Get the user IP
token = sha256(random_number + secret + timestamp + ip);

if(unix_timestamp() - timestamp < 0 || unix_timestamp() - timestamp > timeout) {
    // The token is more than an hour old; it might have been stolen.
}
if(token == getcookie("token")) {
    // The user is valid
} else {
    // The user is invalid
}

- , , IP-. timestamp, , . .

, . . ( , " timestamp ip", "ip number timestamp" ..).

, HMAC - , , . .

Hope this helps.

EDIT

It should be noted that your secrets must be the same to verify the work.

+2

mattbasta Aug 08 '10 at 0:59

source share

DuduAlul · Accepted Answer · 2010-08-08T21:36:45+0000

: GUID/UUID JavaScript?

RFC 4122, , , . NodeJS, .

BTW: 7 , .

HttpSession Key Generation Implementation

More articles: