hi Matt, you misunderstood. The session index is an internal number
correlated with a session id. Session id's are of course not sequential.
I was dicussing in CGIDEV2 forum with the Rennaisance person which
assigns session id's as a 10 digit user index number for their
environment, but if assigning them with my own code I wrote:
I see the user index key is a 10 digit number. I have been studying
web app security including secure session management from books because
I see from my website log the attacks that come in around the clock and
I didn't want to put anything up on the web without knowing what I'm doing.
I was going to generate a random session id and encode it to a 32
digit key, but after looking at the links in this Persistence thread I
am thinking maybe a random number added to the 6 digit job number and
time (to thwart those who can compute next likely pseudo-random numbers
from a sequence) and truncated at 10 digits would serve very well as a
session id.
regards,
rd
Matt Haas wrote:
<snip>
Then when a dataq entry is written to the server, along with it comes
a session id that was assigned from 1 to 10,000 when the user logged in.
For example, Rennaissance assigns a session id in their environment that
would be correlated to a number between 1 and max users. That number
will then be a data structure index in the program. Every statement will
access variables as x(sess_idx) = something rather than x = something.
</snip>
Before you get too far into this, you should know that assigning
sequential session id's is very, very, very bad in a web environment. As
soon as someone figures that out, it will be easy to assume someone
else's identity just by changing the session id. You must use a more
random id in this environment. Two good options are using a GUID (or
UUID -- forget what IBM refers to them as) or the _CIPHER MI's
pseudo-random number generator.
Matt
As an Amazon Associate we earn from qualifying purchases.
This thread ...
Re: Thinking out loud about a new RPG web framework, (continued)
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.