Re: Thinking out loud about a new RPG web framework

hi Matt, you misunderstood. The session index is an internal number correlated with a session id. Session id's are of course not sequential. I was dicussing in CGIDEV2 forum with the Rennaisance person which assigns session id's as a 10 digit user index number for their environment, but if assigning them with my own code I wrote:

I see the user index key is a 10 digit number. I have been studying web app security including secure session management from books because I see from my website log the attacks that come in around the clock and I didn't want to put anything up on the web without knowing what I'm doing.

I was going to generate a random session id and encode it to a 32 digit key, but after looking at the links in this Persistence thread I am thinking maybe a random number added to the 6 digit job number and time (to thwart those who can compute next likely pseudo-random numbers from a sequence) and truncated at 10 digits would serve very well as a session id.

regards,
rd


Matt Haas wrote:
<snip>
Then when a dataq entry is written to the server, along with it comes
a session id that was assigned from 1 to 10,000 when the user logged in.
For example, Rennaissance assigns a session id in their environment that
would be correlated to a number between 1 and max users. That number
will then be a data structure index in the program. Every statement will
access variables as x(sess_idx) = something rather than x = something.
</snip>

Before you get too far into this, you should know that assigning sequential session id's is very, very, very bad in a web environment. As soon as someone figures that out, it will be easy to assume someone else's identity just by changing the session id. You must use a more random id in this environment. Two good options are using a GUID (or UUID -- forget what IBM refers to them as) or the _CIPHER MI's pseudo-random number generator.

Matt