Comments on: Are Ruby Session ID’s Secure? http://memerocket.com/2008/10/14/are-ruby-session-ids-secure/ Bill Burcham's Launch Platform Fri, 17 Feb 2012 23:21:23 +0000 hourly 1 http://wordpress.com/ By: Greg http://memerocket.com/2008/10/14/are-ruby-session-ids-secure/#comment-951 Fri, 19 Dec 2008 00:21:42 +0000 http://meme-rocket.com/2008/10/14/are-ruby-session-ids-secure/#comment-951 Netscape has a similar problem 12 years ago in their original implementation of SSL!

]]> By: Bill http://memerocket.com/2008/10/14/are-ruby-session-ids-secure/#comment-937 Wed, 15 Oct 2008 15:22:33 +0000 http://meme-rocket.com/2008/10/14/are-ruby-session-ids-secure/#comment-937 Chris, the first version of this post was misleading. It implied that the first call to rand set the seed material for subsequent calls. In fact it is only the srand call that does that.

My new reading is that if srand is never called, then rand will use current time and process id each time it is called. Essentially, srand is only used in testing situations (where you want to take system time and process id out of the equation and make your pseudorandom sequence predictable). In other words—not our situation.

]]> By: Chris Heald http://memerocket.com/2008/10/14/are-ruby-session-ids-secure/#comment-936 Wed, 15 Oct 2008 10:43:52 +0000 http://meme-rocket.com/2008/10/14/are-ruby-session-ids-secure/#comment-936 I think the key here is that Ruby’s rand *seeds* itself from known values. If there is any single call to rand at any time not coincident with an HTTP header that the end user is made privvy to, then the values returned from rand are effectively unpredictable.

]]>