How to create a secure session id

Question

How to create a secure session id

for C ++ web server I need to generate a session id. I was thinking of using some sort of random number and hash with the starting IP address of the session and possibly a timestamp.

Would this give a reasonable unidentified identifier? What would be a good random generator algorithm (the most preferred option implemented using boost-random)?

Regards Thorsten

My solution now looks like this:

std::string secure_session_generator::operator()( const char* /* network_connection_name */ ) { std::stringstream out; out << std::hex << distribution_( generator_ ); return out.str(); }

with elements built by default:

  boost::random::random_device generator_; boost::random::uniform_int_distribution< boost::uint_least64_t > distribution_;

+4

security boost-random

Torsten robitzki Jul 02 '12 at 9:13

source share

1 answer

Trickfire · Accepted Answer · 2012-07-02T09:21:35+0000

You can use an example here: A promotion example . Then simply increase the size to a more suitable session identifier, for example 64 characters or something else. That way, you don't need to use calculations for hashing or anything else, and it is already readable.

Or without using boost-random and just using ctime and stdio.h

 string getRandom(int ip) { srand(time(NULL) + ip + rand()); stringstream ss; for(int i = 0;i < 64;i++) { int i = rand() % 127; while(i < 32) i = rand() % 127; ss << char(i); } return ss.str(); }

Alternatively, without using an IP address, you can simply return rand () instead of the IP address, just make sure you generate something.

In addition, I'm certainly not a cryptographer, so use your own risk.

How to create a secure session id

More articles: