[Twisted-web] Session class

George Pauly george at ringdevelopment.com
Fri Oct 3 13:27:57 EDT 2008


There are a couple  of things I don't understand about Site._mkuid() 

IANAC (I am not a cryptographer).

Md5 collisions are rare, but (I guess) might theoretically happen
depending on length of input.  Does appending the counter to the random
output with an underscore change the statistics of collision?  

Alternatively, perhaps the counter is used as a salt?  If so, the salt
does not seem _very_ secret in this case.  If a sufficiently strong
random number is used a salt would seem unnecessary.  

I've looked at some python code for session keys (Django, something on
activestate that might be Zope code) and they hash together various
things, but not counters.

I've generated session keys by appending plain-text counters (with an
offset) to random hashes.  This guarantees uniqueness & is handy because
it is human readable & you can quickly see how many sessions have been
used since initiation.  Of course, the counter value might be sensitive
information in some situations.  An encrypted counter might be helpful,
if the object is to have a session key that is guaranteed random and
unique.  Or you could just check to see if the key was in use, ala
Django, and leave off the counter altogether.

One idea from this code (http://code.activestate.com/recipes/52252/) :

> # create a unique session id
> # input - string to use as part of the data used to create the session key.
> #         Although not required, it is best if this includes some unique 
> #         data from the site, such as it's IP address or other environment 
> #         information.  For ZOPE applications, pass in the entire ZOPE "REQUEST"
> #         object.
> def makeSessionId(st):
> 	import md5, time, base64
> 	m = md5.new()
> 	m.update('this is a test of the emergency broadcasting system')
> 	m.update(str(time.time()))
> 	m.update(str(st))
> 	return string.replace(base64.encodestring(m.digest())[:-3], '/', '$'
> )

is to pass in environment info to defend against hijacking.  I've used a
very similar method in a stateless (on the server, for cgi) session key
using several environment vars and a salt.  This code does not seem to
worry about uniqueness (may be OK, I'm not sure).


On Fri, 2008-10-03 at 13:01 +0200, Maarten ter Huurne wrote:
George Pauly
Ring Development

More information about the Twisted-web mailing list