[Zope] CoreSessionTracking: Brute-Forcing Web Application Session IDs

[Dieter Maurer]

Chris McDonough writes:
 > > It's very cost effective to integrate a hash and a secret: It does
 > > cost nearly nothing for you, the maintainer of CoreSessions and it
 > > really costs nothing besides a few CPU cycles for the sites using
 > > it. But it makes it *much* harder for potential attackers to go for
 > a
 > > session id.
 > > So I think it should be done:)
 > 
 > OK, so do you recommend that I just use a shared secret string to
 > obfuscate the session id?
Under my Linux (SuSE Linux 7.1), the random number generator is
initialized on first installation and saved/restored across restarts.
This means, its state is very random and could be used as
secret.

Not sure, how other OSes handle this issue....


Dieter