On Wed, 2006-03-08 at 17:13 +0300, Strong wrote: > > > I can't understand why You do not simply use a huge random ids? > > Because "random" ne "unique", and if you get one that isn't unique, > > you will have problems. Random also doesn't mean someone can't get > > lucky and hit one if they write a script to try IDs all day. > Thanks for explanation! I got it. But we can check it for existance at > least blocking that say map-file for writing for a moment...
Yes, you could do that, assuming you are already using some kind of shared storage with efficient locking. That won't prevent an attacker from guessing a valid session ID though. It can be very unlikely, but it will still be possible. - Perrin --------------------------------------------------------------------- Web Archive: http://www.mail-archive.com/cgiapp@lists.erlbaum.net/ http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2 To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]