Categories
Programming

mod_perl & session ids

I’ve been trying out a few things in mod_perl just recently, getting together a small basic framework that handles sessions and generates an entire site (apart from images) from a bunch of Perl modules. It’s a lot harder than I thought it would be but I’ve got the basic code working now.
Next step is security of session data.


There are several methods that I’ve come up with:
– simple md5 checksum of something like date+time+client ip address as long as it’s unique in the db. Disadvantage is that it’s only got a “limited” number of combinations and could in theory be subject to a brute-force attack.
– simple md5 checksum of something like date+time+client ip address+fixed string as long as it’s unique in the db. Could potentially combine this with some verifiable data so it’s possible to make sure the checksum isn’t compromised.
– base64 encoding of some data that can be verified in some way – perhaps client ip address, user agent, and/or something else.
– combination of the previous two but including a fixed “random” string so that the md5 checksum can be verified against the encoded data but not easily forged.
– something I’ve not thought of. Feel free to suggest something in the comments!