Categories
Code Sample Geek Programming Python

Generating Random Session IDs

For any online service you must login so you can gain access to your stuff. So that you only have to put in your password once, the website must maintain a special unique character sequence called a session key to know that you have already authenticated.

There is a problem with these keys, however, if they are not truly random. This is detailed in a paper I stumbled upon entitled Brute-Force Exploitation of Web Application Session IDs by David Endler. It covers ways in which these keys can be “hacked” because they are not unique, but rather follow some sequence which can be guessed. He lists some major websites which he was able to get access to information that should have been private.

The paper got me thinking about how to generate random session keys, so I created some quick Python scripts using Twisted which demonstrates my solution. (This was my first time using Twisted, so it’s very possible that there is a better way to structure the code).

Solution

The character buffer in the server is used to generate new keys.

To fill the buffer:

  1. Create a list of websites which themselves deliver random web pages (eg, wikipedia)
  2. Select a website from random and ask for a random page
  3. Grab the data within the HTML body tags and put that string in the character buffer
  4. When the buffer needs more data, go back to 1.

To generate X number of keys:

  1. Grab two random lengths of the character buffer. Use one to re-seed the random generator and the other as the basis for the new session key. Create the session key using MD5 and the key seed
  2. Update() the current MD5 session key using a generated random character / string
  3. Add that key to the buffer.
  4. When the key buffer needs more keys, go back to Step 1. For every Y number of keys generated, go back to Step 0.

Notes

We don’t use a new seed for each MD5 session key because the buffer will be emptied too quickly. Of course, the settings for the buffer size, etc could be tweaked.

Performance

Running the server code on my Mac Mini (2.16GHz Dual Core) and 5 clients on another machine, I was able to service ~8000 keys/sec (~750 million keys/day).

Conclusion

My experiment satisfied my curiosity and answered the questions from my own project.

There are, of course, many tweaks that can be made. Send me the code changes to your favorites and I’ll include them.

“Click to download the client server files.”:/downloads/code/HTTP-Session-Key.zip

Resources

Categories
Python

Converting journal entries from Outlook to MacJournal

I wrote a Python script to convert a journal file export from Microsoft Outlook to one which can be read by MacJournal.

It requires the Python module csv (included with Python 2.3 or later)

Run the script like so:

./outlook2macjournal.py [input_file] [output_file]

If no input or output files are listed, it will use the following defaults:

Outlook (input): @exchange_export.csv@
MacJournal (output): @macjournal_import.txt@

You can click here to download the Outlook to MacJournal Python script.

Categories
Programming Python

Doing Python-style imports in JavaScript

Lately at work I’ve been doing a lot of programming in JavaScript. Among other things, I have been learning about using the prototype object to do object oriented programming. One thing that I missed was the feature in Python used to import modules directly into other code. For example:

from glorp import blah
import foo

I was happy to have found an open-source project which emulates that functionality in JavaScript! I haven’t been able to do more than skim the web site, but it looks promising.

h3. Resources