[ic] Length of session id
Mike Heins
mike at perusion.com
Wed Sep 20 14:42:45 EDT 2006
Quoting Oleg Raskin (oleg at eville.us):
> Greetings, list!
>
> For the sake of security I have been looking for a way to increase the
> length of the session id from 8 characters to something longer.
> Unfortunately, this doesn't seem to be addressed anywhere in the
> documentation or the list archive. I have also noticed by visiting a few
> of the sites in the "hall of fame" that they also use 8-character session
> id's. Is there any configuration or setting that may address this?
>
Not right now. But I just added the ability to set this
to Session.pm.
Put this in catalog.cfg:
Limit session_id_length 16
and apply the following patch to get 16 long.
Note that other limits in the code mean you need a number between 8 and
32. It will break Interchange if you use some other value.
Index: Session.pm
===================================================================
RCS file: /var/cvs/interchange/lib/Vend/Session.pm,v
retrieving revision 2.25
diff -u -r2.25 Session.pm
--- Session.pm 26 Jul 2006 07:51:34 -0000 2.25
+++ Session.pm 20 Sep 2006 18:38:37 -0000
@@ -241,7 +241,7 @@
open_session();
for (;;) {
unless (defined $seed) {
- $Vend::SessionID = random_string();
+ $Vend::SessionID = random_string($::Limit->{session_id_length});
undef $Vend::CookieID;
}
undef $seed;
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.765.647.1295 tollfree 800-949-1889 <mike at perusion.com>
Being against torture ought to be sort of a bipartisan thing.
-- Karl Lehenbauer
More information about the interchange-users
mailing list