[Python-ideas] Should our default random number generator be secure?

Nikolaus Rath Nikolaus at rath.org
Mon Sep 14 20:32:26 CEST 2015

On Sep 14 2015, "M.-A. Lemburg" <mal-SVD0I98eSHvQT0dZR+AlfA at public.gmane.org> wrote:
>>> Code which uses the output from an RNG as session id without adding
>>> any additional security measures is broken, regardless of what kind
>>> of RNG you are using. I bet such code will also take any session id
>>> it receives as cookie and trust it without applying extra checks
>>> on it.
>> Yes, that's... generally the thing you do with session cookies?
>> They're shared secret string that you use as keys into some sort of
>> server-side session database? What extra checks need to be applied?
> You will at least want to add checks that the session id string was
> indeed generated by the server and not some bot trying to
> find valid session ids, e.g. by signing the session id and
> checking the sig on incoming requests.

The chance of a bot hitting a valid (randomly generated) session key by
chance should be just as high as the bot generating a correctly signed
session key by chance, if I'm not mistaken. 

(Assuming, of course, that the completely random key has the same number
of bits as they other key + signature).

GPG encrypted emails preferred. Key id: 0xD113FCAC3C4E599F
Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«

More information about the Python-ideas mailing list