Phobos randomUUID is not suitable to generate secrets
Cym13
cpicard at purrfect.fr
Thu Sep 3 13:15:25 UTC 2020
On Wednesday, 2 September 2020 at 11:14:43 UTC, Kagamin wrote:
> On Monday, 31 August 2020 at 14:14:12 UTC, Cym13 wrote:
>> [1] https://docs.python.org/3/library/secrets.html
>
> or
> https://ruby-doc.org/stdlib-2.7.1/libdoc/securerandom/rdoc/SecureRandom.html
> But then how do you know that session ids are secrets and not
> just ids?
In almost all implementations, when a session ID is used it is
the information that identifies the user as logged in using a
given account. That information is typically sufficient to obtain
access to said account, so session IDs are typically secret. Of
course you can imagine or find a counter-example, but it doesn't
weaken the point: randomUUID is not suitable to generate secrets.
More information about the Digitalmars-d
mailing list