Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: Session ids

__/ [ Andy Jacobs ] on Wednesday 10 May 2006 21:55 \__

> Hi all
> one of my clients uses OSCommerce.  He sent me an e-mail today from a
> site visitor telling a strange tale.  Basically, she's found the site
> under Google and clicked on the link.  When she arrived at the site she
> found that she was logged in under someone's account.

Public or shared terminal, of course. *smile* Unless the software on the site
was buggy...

> Now, either she's a nutter, or something else happened.  The only
> explanation I can come up with is that the person she ended up logged in
> as had recently logged in and then left the site without logging out or
> closing the browser.  The second person arrives and by sheer chance
> picks up the same session id as the person who was logged in.
> Ignoring the probability of that happening, does it sound feasible in
> theory?

In theory, as Richard already said, it's possible. In reality, the software
would have to be dumb to make it feasible.

> I just went to the site and I picked up:
> f2ab7fef428ec6312b728eff00503b01
> as my session id.  Anyone care to throw a figure in for the odds of two
> people generating the same id?  Is it even possible?
> Andy

seems like 16^32, assuming hexadecimal, as opposed to number of letter which
would make it 36^32. Maybe the random number generator is faulty or maybe
one of the above possibilities would explain this...

It comes down to the question: would you trust a client on the phone or
128bit encryption? People tend to say half truths, even in the case of
technical support that is related to hardware and desktop software. Find out
what you are /not/ being told.

Best wishes,


[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index