Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


More on LinuxToday


PHP blunders with random numbers

Mar 31, 2010, 03:03 (1 Talkback[s])

"Security expert Andreas Bogk warns that, despite recent PHP improvements, the session IDs of users who are logged into PHP applications remain guessable. Upon close examination, the alleged improvements display frightening weaknesses.

"PHP assigns a session ID in order to allow individual page calls to be allocated to a specific logged-in user. To prevent attackers from using a forged session ID to take control of a session, the ID is chosen supposedly at random. When computers require random numbers, invariably a pseudo random number generator such as the Linear Congruential Generator (LCG) will be used. Such number generators use complex mathematical operations to generate a stream of numbers which are random at least in so far as it is impossible to predict future numbers based on the numbers already generated."

Complete Story

Related Stories: