How to get a long random session ID string??

[adelante]

How do I create one of those random strings with numbers and characters, used for session ID's?

I used to do this:
$id = Apache::Session::Generate::MD5::generate();

...and then I had a long string that looked something like this:
84jg74yg457h4gd6t83nfu5h8r654h5ejg783

The new webserver doesn't have the old module Apache::Session::Generate::MD5::generate() instead they got something called Digest::MD5;

Can I use that instead to make the session ID string? and how?

Or does anyone know an easy way to make a long string of mixed random numbers and characters??

Thanks alot

 

[MillerH]

Yeah, no problem!

# Step 1 - Acquire Keyboard
# Step 2 - Acquire Monkey
# Step 3 - Give Keyboard to Monkey
# Step 4 - ???
# Step 5 - Profit!

Example: qwer8ase820asdf002340sd0aaasdf023

Always here to help out!

 

[adelante]

Haven't got a monkey

 

[MillerH]

Then I would suggest something like the following:

my @chars = (0..9,a..z,A..Z);
my $len = 20;

my $string = join '', map {$chars[rand(@chars)]} (1..$len);

http://perldoc.perl.org/functions/rand.html

 

[adelante]

Thanks alot!

I didn't understand much of what it did, but it works. I will try look up join and map.

Thanks again!!

 

[Kirsle]

I just use Digest::MD5 and encode a random number, the output always contains all kinds of letters and numbers.

use Digest::MD5 qw(md5_hex);
my $string = md5_hex (int(rand(99999999)));

-------------
Cuvou.com | The NEW Kirsle.net

 

[adelante]

Thanks again!

I was just wondering, some people say that rand is predictive, is that true? How predictive is it?
- this is more for my knowledge.

 

[Kirsle]

Rand is predictive if you know the random number seed.

i.e. run this program several times:

srand 150; # some random seed
for (1..100) {
   print int(rand(10000)), "\n"; # random number out of 10k
   sleep 1;
}

The 100 random numbers out of 1,000 will always be picked in the same order every time, if srand always remains being 150.

Random numbers use a complicated formula based on the seed, but when the seed is the same, the formula always outputs the same numbers. If you seed it based on time(), the seed will always be different every time your script runs, but if somebody knew exactly what time() the script generated your session, they would know what it did.

The more random the seed is, the harder it is to predict what number it's going to produce next. Maybe combine the seed with time() and the current amount of CPU free or some other changing factors so that the seed is really hard to figure out.

-------------
Cuvou.com | The NEW Kirsle.net

 

[adelante]

Wow... nice knowledge!!

MD5 is pretty sure thought, right? it's generated a complete different way right??

Basically, I think it's paranoia to even think this is an issue, but well, I'm doing so, also because I'm kinda curious about why people talk to much about it.

Yeah! I wonder why they didn't just make the random thing depend on something like that! CPU in use, or Time, or something else on top of the good old random thing.

Btw just curious, in case you are bored...

The 100 random numbers out of 1,000 will always be picked in the same order every time, if srand always remains being 150.

what did you mean did you mean?? the random function only got about 1000 numbers stored, so that if I wrote them down 10000 times, then e.g. the number 7, will ALWAYS be in position 891??

You dont have to answer unless you find it interesting.

Thanks alot!!!

 

[MillerH]

http://perldoc.perl.org/functions/srand.html

It sometimes is useful in number theory analysis to have predictable random numbers. To achieve this, they use the srand function to seed the psuedo random number generator at a specific point. This gives reproducable results that can be used to verify your logic is correct.

If you read the srand documentation above, you will learn that it is not useful or helpful to seed the rand function to acheive "more random" numbers. This is already done sufficiently well by rand by default:

Most programs won't even call srand() at all, except those that need a cryptographically-strong starting point rather than the generally acceptable default, which is based on time of day, process ID, and memory allocation, or the /dev/urandom device, if available.

If you want to use Digest::MD5, do so. But it's not going to serve your randomness needs better than the code that I gave you.

If security is a concern, I would suggest that you tie Sessions to the IP address of the logging in user. This would avoid any possible spoofing, if that really is a concern for your website.

 

[rharsh]

If you want to use Digest::MD5, do so. But it's not going to serve your randomness needs better than the code that I gave you.

Plus the monkeys won't understand Digest::MD5; maybe Digest::Banana would work?

 

[mbrooks]

Just use the subroutine from the Apache::Session::MD5 module.

Note: This has been slightly modified to meet your requirements.

#!/usr/bin/perl -w

use Digest::MD5;

my $session_id = generate_id(50);     # 50 character string

print $session_id;

sub generate_id {
	my $length = shift();

	return substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}. rand(). $$)), 0, $length);
}

M. Brooks

http://mbrooks.info

 

[mbrooks]

Or better yet.

sub generate_id {
	my $length = shift();
	$length  ||= 25;     # default 25 characters

	return substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}. rand(). $$)), 0, $length);
}

M. Brooks

http://mbrooks.info

 

[adelante]

Wow, I'm amazed!!

So well to sum it all up, you have to reload it a zillion times to be able to predict anything. The reason I asked was that some dude once said that the only way to make a true secure session ID, was to use some atomic geiger dongle to generate something really random. And that "ohh, random numbers on a computer is SO predictable"... well, now I know they are not.

And who want to spend time hacking session ID's. It's not a bank site I'm doing anyway!

Thanks alot everyone!!!

Digest::Banana LOL

 

[MillerH]

Random number arguments...

Geek 1: Mine's more random than yours!
Geek 2: No, Mine is! Yours is only a psuedo-random time seeded single iterative MD5 encrypted number. Mine's Double MD5 encrypted!
Geek Audience: Woooooooo

Rarely do these explorations serve any purpose other than mathematical curiousity. Which is fun, no doubt. But the level of attention to this type of insignificant detail is often indirectly proportional to how long ago said geek has been with a .

Just an ex-math+physics major's enlightened opinion