[Catalyst] Re: Production session issue - commercial support inquiry?

Wade Stuart wbs at grepit.net
Fri Jan 9 21:19:14 GMT 2009 

Sorry,
   Wanted to clarify a few things.  I realized there may be a few cryptonuts
on this list and I want to avoid a flame.  The "session_hash_seed" is
actually not a seed generator -- but a plaintext generator.  Below, I am
talking about collisions of the plaintext and therefore the digest -- not
digest collsions on unique plaintexts.  Given that the default is:

sub session_hash_seed {
    my $c =3D shift;

    return join( "", ++$counter, time, rand, $$, {}, overload::StrVal($c),
);
}

and the generator is

sub generate_session_id {
    my $c =3D shift;

    my $digest =3D $c->_find_digest();
    $digest->add( $c->session_hash_seed() );  #note the "seed" is actually
plaintext;
    return $digest->hexdigest;
}

and that the OP is running on a prefork system,  most of the join on the
seed above can theoretically overlap on a high hit, fast cycled/forked
system -- resulting in potential overlaps of plaintext and therefore session
id/digest.   Depending on how many children and the fork depth (runs per
fork) this could situation be exacerbated.

-- =

Thanks!

Wade Stuart

Phone:  917-363-6164
IM: SpaceMuscles

On Fri, Jan 9, 2009 at 3:50 PM, Wade Stuart <wbs at grepit.net> wrote:

> Have you looked at trying to replace the seed generator for the session (=
or
> if you have, have you verified it actually has enough entropy for your
> load)?  I could imagine given enough preforks and hitrate that the default
> seed could allow doe some collisions.  I would expect it would take a very
> high hit rate -- if so you may need to pull more than 20 bytes of random =
to
> get enough entropy. Examples from the POD below:
>
> In the hopes that those combined values are entropic enough for most uses.
> If this is not the case you can replace session_hash_seed with e.g.
>
> sub session_hash_seed {
>         open my $fh, "<", "/dev/random";
>         read $fh, my $bytes, 20;
>         close $fh;
>         return $bytes;
>     }
>
> Or even more directly, replace generate_session_id:
>
>     sub generate_session_id {
>         open my $fh, "<", "/dev/random";
>         read $fh, my $bytes, 20;
>         close $fh;
>         return unpack("H*", $bytes);
>     }
>
>
>
> --
> Thanks!
>
> Wade Stuart
>
> Phone:  917-363-6164
> IM: SpaceMuscles
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.scsys.co.uk/pipermail/catalyst/attachments/20090109/0de21=
714/attachment.htm

More information about the Catalyst mailing list