-
Notifications
You must be signed in to change notification settings - Fork 8
/
SessionIdFactory.java
32 lines (27 loc) · 1.02 KB
/
SessionIdFactory.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
package org.owasp.oneliner.session;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import javax.annotation.Resource;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
/**
* Author: @johnwilander
* Date: 2010-12-18
*/
public class SessionIdFactory {
public SessionId createNewSessionId() {
SecureRandom secureRandom = new SecureRandom();
secureRandom.setSeed(System.currentTimeMillis());
byte[] bytes = new byte[16];
secureRandom.nextBytes(bytes);
return new SessionId(new String(Hex.encodeHex(bytes)));
}
}
/*
Problem: The pseudo random generator is instantiated for every session id and it's
seeded with a timestamp which is not a good source of randomness. If the attacker
knows roughly when the victim logged in he/she can try to brute force the session
id. 1,000 tries covers a second. 60,000 tries covers a minute.
*/