session ID collision (security issue) & cookies (Expires vs. Max-Age)

Thread: session ID collision (security issue) & cookies (Expires vs. Max-Age)

Search this list only Search all lists
session ID collision (security issue) & cookies (Expires vs. Max-Age)
	2006-02-09 21:31:38
Thats exactly what I do with muti (http://muti.co.za). If you login and you select the "Autologin" checkbox, then a second cookie is generated, via javascript since I did this before the cherrypy fix. That second cookie is saved in a database against the users name. If they close down the browser and come back the next day the home page will look for the 40 character random string saved for those users who selected "autologin" and then generate a "session" cookie through the CherryPy api just for that session. (A "session" cookie is never persisted to disk at the client side.) I am pretty sure that no collisions will happen in my lifetime Slashdot and many other sites use a shorter random string than I do and I figure if they are confident with it then so am I ;) Note that my "autologinid" session uses alphabetic characters so I beliebe the number of unique strings is something like 26**40, probably close to the number of the electrons in the entire universe or something like that!

[1]