[ic] Length of session id

Mike Heins mike at perusion.com
Wed Sep 20 14:42:45 EDT 2006

Quoting Oleg Raskin (oleg at eville.us):
> Greetings, list!
> For the sake of security I have been looking for a way to increase the
> length of the session id from 8 characters to something longer. 
> Unfortunately, this doesn't seem to be addressed anywhere in the
> documentation or the list archive.  I have also noticed by visiting a few
> of the sites in the "hall of fame" that they also use 8-character session
> id's.  Is there any configuration or setting that may address this?

Not right now. But I just added the ability to set this
to Session.pm.

Put this in catalog.cfg:

	Limit  session_id_length  16

and apply the following patch to get 16 long.

Note that other limits in the code mean you need a number between 8 and
32. It will break Interchange if you use some other value.

Index: Session.pm
RCS file: /var/cvs/interchange/lib/Vend/Session.pm,v
retrieving revision 2.25
diff -u -r2.25 Session.pm
--- Session.pm	26 Jul 2006 07:51:34 -0000	2.25
+++ Session.pm	20 Sep 2006 18:38:37 -0000
@@ -241,7 +241,7 @@
     for (;;) {
 		unless (defined $seed) {
-			$Vend::SessionID = random_string();
+			$Vend::SessionID = random_string($::Limit->{session_id_length});
 			undef $Vend::CookieID;
 		undef $seed;

Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295  tollfree 800-949-1889 <mike at perusion.com>

Being against torture ought to be sort of a bipartisan thing.
-- Karl Lehenbauer

More information about the interchange-users mailing list