Jump to content


Photo

php5-uuid


  • Please log in to reply
6 replies to this topic

#1 werty37

werty37
  • Members
  • PipPipPip
  • Advanced Member
  • 49 posts

Posted 29 May 2006 - 03:45 PM

Hi everyone,

Recently i saw a package "php5-uuid" in my synaptic manager. I m using ubuntu
dapper drake distribution. The Description says:
*********************************************************************
OSSP uuid module for php5
OSSP uuid is an ISO-C and Perl application programming interface (API)
and corresponding command line interface (CLI) for the generation of
DCE 1.1 and ISO/IEC 11578:1996 compliant Universally Unique Identifier
(UUID). It supports DCE 1.1 variant UUIDs of version 1 (time and node
based), version 3 (name based) and version 4 (random number based).

UUIDs are 128 bit numbers which are intended to have a high likelihood
of uniqueness over space and time and are computationally difficult
to guess. They are globally unique identifiers which can be locally
generated without contacting a global registration authority. UUIDs
are intended as unique identifiers for both mass tagging objects
with an extremely short lifetime and to reliably identifying very
persistent objects across a network.

This package provides a module for OSSP uuid functions support in PHP
scripts.
*********************************************************************

Does anyone know how to use this in php5 scripts?
Sorry for the long text..

Thanks in advance
werty


#2 Ferenc

Ferenc
  • Members
  • PipPipPip
  • Advanced Member
  • 94 posts

Posted 29 May 2006 - 03:52 PM

PHPSESSID is a identifier of a current session.

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--] The session module cannot guarantee that the information you store in a session is only viewed by the user who created the session. You need to take additional measures to actively protect the integrity of the session, depending on the value associated with it.

Assess the importance of the data carried by your sessions and deploy additional protections -- this usually comes at a price, reduced convenience for the user. For example, if you want to protect users from simple social engineering tactics, you need to enable session.use_only_cookies. In that case, cookies must be enabled unconditionally on the user side, or sessions will not work.

There are several ways to leak an existing session id to third parties. A leaked session id enables the third party to access all resources which are associated with a specific id. First, URLs carrying session ids. If you link to an external site, the URL including the session id might be stored in the external site's referrer logs. Second, a more active attacker might listen to your network traffic. If it is not encrypted, session ids will flow in plain text over the network. The solution here is to implement SSL on your server and make it mandatory for users. [/quote]

If you use it as a 'uuid' is up to you.
If you stick it in a DB is also up to you ( the database doesn't care)
Everything you want to know is here.

#3 werty37

werty37
  • Members
  • PipPipPip
  • Advanced Member
  • 49 posts

Posted 29 May 2006 - 04:04 PM

[!--quoteo(post=378095:date=May 29 2006, 09:22 PM:name=Ferenc)--][div class=\'quotetop\']QUOTE(Ferenc @ May 29 2006, 09:22 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
PHPSESSID is a identifier of a current session.
If you use it as a 'uuid' is up to you.
If you stick it in a DB is also up to you ( the database doesn't care)
[/quote]


I hope the above reply is for the topic "PHPSESSID". But i just want to know
that the PHPSESSID generated by php is a uuid. does php generate same
session id's over time?

Thanks for the reply.
werty


#4 Ferenc

Ferenc
  • Members
  • PipPipPip
  • Advanced Member
  • 94 posts

Posted 29 May 2006 - 07:51 PM

I will assume a session id can be repeated over a period of time, I never looked into them that far.
odds are not likely, but possible ( I haven't won the lottery yet either).

So yes it could be a uuid, but not a secure one.

The session id can also be assigned.

So, using [a href=\"http://us2.php.net/uniqid\" target=\"_blank\"]uniqid()[/a] would get session id closer to meeting the uuid requiremnts you posted
Everything you want to know is here.

#5 werty37

werty37
  • Members
  • PipPipPip
  • Advanced Member
  • 49 posts

Posted 30 May 2006 - 02:12 AM

You mean this will give a better uuid, right?

<?php
session_start();
echo uniqid(session_id()); //echo uniqid(session_id(),true);
?>


#6 Ferenc

Ferenc
  • Members
  • PipPipPip
  • Advanced Member
  • 94 posts

Posted 30 May 2006 - 04:14 AM

Yes, a harder to guess uuid.

But, session id needs to be set before session start...

<?php
$token  = md5(uniqid(rand(), true));;
session_id($token);
session_start();
echo SID;
?>

Everything you want to know is here.

#7 werty37

werty37
  • Members
  • PipPipPip
  • Advanced Member
  • 49 posts

Posted 30 May 2006 - 05:44 PM

Thanks a lot Ferenc...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users