| From: | Tomasz Ostrowski <tometzky(at)batory(dot)org(dot)pl> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Lexington Luthor <Lexington(dot)Luthor(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Generating unique session ids |
| Date: | 2006-07-27 14:35:19 |
| Message-ID: | 20060727143517.GC15258@batory.org.pl |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Thu, 27 Jul 2006, Tom Lane wrote:
> Tomasz Ostrowski <tometzky(at)batory(dot)org(dot)pl> writes:
> > * When somebody knows md5('secret_salt' || '5') he will be able to
> > easily compute
> > md5('secret_salt' || '50')
> > md5('secret_salt' || '51')
>
> Sure, but can't you fix that by putting the secret part at the end?
I'm not so sure anymore. I think I was wrong... Forget it.
> > * PostgreSQL integers (as returned by nextval()) are 4 bytes. This
> > means only 32 bit strength - much too low for today computers.
>
> Um, nextval returns int8.
OK. 64 bit should be enough.
> > * Any database user is most of the time able to read function
> > bodies, so anybody who is able co connect to your database will be
> > able to get your 'secret_salt' and then predict session id's.
>
> Yeah, it's not clear where to hide the secret.
As somebody said it would be possible with restricted table and
security definer function.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Laboratorio Tux | 2006-07-27 15:02:18 | Consulta de importar o restaurar base |
| Previous Message | Scott Eade | 2006-07-27 14:34:15 | UTF-8, upper() and Chinese characters yielding blank result |