Re: Generating unique session ids
От | Tom Lane |
---|---|
Тема | Re: Generating unique session ids |
Дата | |
Msg-id | 6193.1154007580@sss.pgh.pa.us обсуждение исходный текст |
Ответ на | Re: Generating unique session ids (Tomasz Ostrowski <tometzky@batory.org.pl>) |
Ответы |
Re: Generating unique session ids
Re: Generating unique session ids |
Список | pgsql-general |
Tomasz Ostrowski <tometzky@batory.org.pl> writes: > * When somebody knows md5('secret_salt' || '5') he will be able to > easily compute > md5('secret_salt' || '50') > md5('secret_salt' || '51') Sure, but can't you fix that by putting the secret part at the end? > * PostgreSQL integers (as returned by nextval()) are 4 bytes. This > means only 32 bit strength - much too low for today computers. Um, nextval returns int8. > * Any database user is most of the time able to read function > bodies, so anybody who is able co connect to your database will be > able to get your 'secret_salt' and then predict session id's. Yeah, it's not clear where to hide the secret. regards, tom lane
В списке pgsql-general по дате отправления: