[ic] Length of session id

ic at 3edge.com ic at 3edge.com
Wed Sep 20 13:42:48 EDT 2006


Oleg Raskin writes: 

> Greetings, list! 
> 
> For the sake of security I have been looking for a way to increase the
> length of the session id from 8 characters to something longer. 
> Unfortunately, this doesn't seem to be addressed anywhere in the
> documentation or the list archive.  I have also noticed by visiting a few
> of the sites in the "hall of fame" that they also use 8-character session
> id's.  Is there any configuration or setting that may address this? 
> 
> Thanks.

 From what I can see in the code the session id is assigned in 
Vend/Session.pm by : $Vend::SessionID = random_string(); 

random_string sub is found in
Vend/Util.pm 

And there it says: 

sub random_string {
   my ($len) = @_;
   $len = 8 unless $len;
   my ($r, $i); 

   $r = '';
   for ($i = 0;  $i < $len;  ++$i) {
               $r .= substr($random_chars, int(rand(length($random_chars))), 
1);
   }
   $r;
} 


As there is no parameter passed to random_string it takes 8 ... It could be 
something relatively simple to make configurable I suppose? 

CU, 

Gert


More information about the interchange-users mailing list