Next: 17. Project 3 (200 Up: 16. Sessions Previous: 16.9 What do we Contents
The possibility is always there, just like it is always possible for some lucky hacker to correctly guess the username and password of any account. The probability of getting hacked, however, depends on many factors.
In case you have not noticed, the session id is a fairly random
32 character hexidecimal string. It is fairly unlikely for a hacker to
come up with a string that matches that of an active session to
begin with. There are 
or 
(approximately 64 billion)
possible combinations. This means that even if there are one million
active sessions, the chances of ``guessing'' the ID of one of them is
still less than one over 64 million.
If I were a crook, I'd spend my time and money buying lottery tickets (instead of guessing the ID of an active session).
Furthermore, you can also use other means to ensure security. For example,
the IP address of the client is accessible via $session->remote_addr.
You can store this as a parameter of the session. As you resume a session,
you can check the IP address first to see if matches the stored one.
Note that remote address matching may cause problems for clients with dynamic IPs. This is particularly important for dial-up users. The IP address of each dial-up session is almost guaranteed to change, especially for a busy ISP.
For most applications, just using the default session ID in CGI::Session should be sufficiently secure.
Copyright © 2008-05-09 by Tak Auyeung