Ola Lundqvist <o...@inguza.com> writes: > Precisely. This is why I was asking about the length of the session id > used. With the length we can estimate how many times an attacker my try to > find all possible values. > If this is small enough (and the attacker is close enough) it can be > exploited. But if the session key is really large, then there is no way > that this can be done in practice even with ears of tries.
If I understand this code correctly, by reading it. https://github.com/rack/rack/blob/18f708b5b691f0219be35e453dbb7ef8397060c9/lib/rack/session/abstract/id.rb The default size of a sid is intended 128 bits or 32 hex digits long. However, this value is created by SecureRandom.hex() - see https://ruby-doc.org/stdlib-2.5.1/libdoc/securerandom/rdoc/SecureRandom.html, which actually takes a parameter with number of bytes, not number of digits. So when we pass this function 32, we actually get 32 bytes (=256 bits), or 64 digits. irb(main):007:0> p SecureRandom.hex(1) "82" => "82" irb(main):006:0> p SecureRandom.hex(2) "5fad" => "5fad" -- Brian May <b...@debian.org>