HTTP and Sessions 125 Thus, the data needs
126 Chapter 4 Web Application Concepts Anyone who tried to crack this would have to perform a brute force attack over all possible elements; the attacker would have to find a valid session ID from 340,282,366,920,938,463,463,374,607,431,768,211,456 possible values. Cryptoanalysts Van Oorschot and Wiener developed a theoretical search machine for MD5 and estimated in 1994 that such a machine (estimated cost: $10 million) would take 24 days on average to crack an MD5-encrypted message.2 If this worries you, you should consider disconnecting your server from the Internet. By the way, md5(uniqid()) the same construct from above without a rand() call would not be sufficiently random; because uniqid() is based on the system time, it can be guessed if the hacker learns the local system time of the server.The space to be searched is then considerably less than 2128. Session ID Propagation with Cookies Now the only remaining issue is making the session ID available to all pages of your application. One way to do it is by setting a cookie containing the ID. If you want to be able to identify a user over multiple visits, using cookies is the only possibility. Unfortunately, a percentage of your users may have turned off cookies in their browsers (some estimates show figures of up to 20%). Depending on your target audience, it may be acceptable to redirect these users to a help page explaining how to enable cookies. Passing the session ID with cookies is by far the easiest method for the developer. Except for setting the cookie, nothing needs to be done by your application. Manual URL Rewriting You can also use manual URL rewriting for session ID propagation.This means that you pass the session ID via GET/POST or you hide it in the URL.You need to alter all frame, form, and a HTML tags to include a reference to your ID: // A frame source definition printf( , $session_id); // A hidden form field printf( , $session_id); // A normal link printf( Link , $session_id); If you have image maps, inline frames, or JavaScript redirects in your application, you ll also need to alter those. URL rewriting has several drawbacks: n It introduces a considerable amount of additional work for you as developer.You have to manually add the session ID to all links. If you forget a single link, the user s session will be lost.
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services