line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
############################################################################# |
2
|
|
|
|
|
|
|
# |
3
|
|
|
|
|
|
|
# Apache::Session::Generate::MD5; |
4
|
|
|
|
|
|
|
# Generates session identifier tokens using MD5 |
5
|
|
|
|
|
|
|
# Copyright(c) 2000, 2001 Jeffrey William Baker (jwbaker@acm.org) |
6
|
|
|
|
|
|
|
# Distribute under the Perl License |
7
|
|
|
|
|
|
|
# |
8
|
|
|
|
|
|
|
############################################################################ |
9
|
|
|
|
|
|
|
|
10
|
|
|
|
|
|
|
package Apache::Session::Generate::MD5; |
11
|
|
|
|
|
|
|
|
12
|
3
|
|
|
3
|
|
1689
|
use strict; |
|
3
|
|
|
|
|
7
|
|
|
3
|
|
|
|
|
122
|
|
13
|
3
|
|
|
3
|
|
15
|
use vars qw($VERSION); |
|
3
|
|
|
|
|
6
|
|
|
3
|
|
|
|
|
125
|
|
14
|
3
|
|
|
3
|
|
14
|
use Digest::MD5; |
|
3
|
|
|
|
|
7
|
|
|
3
|
|
|
|
|
1229
|
|
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
$VERSION = '2.12'; |
17
|
|
|
|
|
|
|
|
18
|
|
|
|
|
|
|
sub generate { |
19
|
33
|
|
|
33
|
0
|
24564
|
my $session = shift; |
20
|
33
|
|
|
|
|
118
|
my $length = 32; |
21
|
|
|
|
|
|
|
|
22
|
33
|
100
|
|
|
|
165
|
if (exists $session->{args}->{IDLength}) { |
23
|
28
|
|
|
|
|
51
|
$length = $session->{args}->{IDLength}; |
24
|
|
|
|
|
|
|
} |
25
|
|
|
|
|
|
|
|
26
|
33
|
|
|
|
|
668
|
$session->{data}->{_session_id} = |
27
|
|
|
|
|
|
|
substr(Digest::MD5::md5_hex(Digest::MD5::md5_hex(time(). {}. rand(). $$)), 0, $length); |
28
|
|
|
|
|
|
|
|
29
|
|
|
|
|
|
|
|
30
|
|
|
|
|
|
|
} |
31
|
|
|
|
|
|
|
|
32
|
|
|
|
|
|
|
sub validate { |
33
|
|
|
|
|
|
|
#This routine checks to ensure that the session ID is in the form |
34
|
|
|
|
|
|
|
#we expect. This must be called before we start diddling around |
35
|
|
|
|
|
|
|
#in the database or the disk. |
36
|
|
|
|
|
|
|
|
37
|
2
|
|
|
2
|
0
|
4
|
my $session = shift; |
38
|
|
|
|
|
|
|
|
39
|
2
|
100
|
|
|
|
17
|
if ($session->{data}->{_session_id} =~ /^([a-fA-F0-9]+)$/) { |
40
|
1
|
|
|
|
|
7
|
$session->{data}->{_session_id} = $1; |
41
|
|
|
|
|
|
|
} else { |
42
|
1
|
|
|
|
|
14
|
die "Invalid session ID: ".$session->{data}->{_session_id}; |
43
|
|
|
|
|
|
|
} |
44
|
|
|
|
|
|
|
} |
45
|
|
|
|
|
|
|
|
46
|
|
|
|
|
|
|
1; |
47
|
|
|
|
|
|
|
|
48
|
|
|
|
|
|
|
=pod |
49
|
|
|
|
|
|
|
|
50
|
|
|
|
|
|
|
=head1 NAME |
51
|
|
|
|
|
|
|
|
52
|
|
|
|
|
|
|
Apache::Session::Generate::MD5 - Use MD5 to create random object IDs |
53
|
|
|
|
|
|
|
|
54
|
|
|
|
|
|
|
=head1 SYNOPSIS |
55
|
|
|
|
|
|
|
|
56
|
|
|
|
|
|
|
use Apache::Session::Generate::MD5; |
57
|
|
|
|
|
|
|
|
58
|
|
|
|
|
|
|
$id = Apache::Session::Generate::MD5::generate(); |
59
|
|
|
|
|
|
|
|
60
|
|
|
|
|
|
|
=head1 DESCRIPTION |
61
|
|
|
|
|
|
|
|
62
|
|
|
|
|
|
|
This module fulfills the ID generation interface of Apache::Session. The |
63
|
|
|
|
|
|
|
IDs are generated using a two-round MD5 of a random number, the time since the |
64
|
|
|
|
|
|
|
epoch, the process ID, and the address of an anonymous hash. The resultant ID |
65
|
|
|
|
|
|
|
number is highly entropic on Linux and other platforms that have good |
66
|
|
|
|
|
|
|
random number generators. You are encouraged to investigate the quality of |
67
|
|
|
|
|
|
|
your system's random number generator if you are using the generated ID |
68
|
|
|
|
|
|
|
numbers in a secure environment. |
69
|
|
|
|
|
|
|
|
70
|
|
|
|
|
|
|
This module can also examine session IDs to ensure that they are, indeed, |
71
|
|
|
|
|
|
|
session ID numbers and not evil attacks. The reader is encouraged to |
72
|
|
|
|
|
|
|
consider the effect of bogus session ID numbers in a system which uses |
73
|
|
|
|
|
|
|
these ID numbers to access disks and databases. |
74
|
|
|
|
|
|
|
|
75
|
|
|
|
|
|
|
This modules takes one argument in the usual Apache::Session style. The |
76
|
|
|
|
|
|
|
argument is IDLength, and the value, between 0 and 32, tells this module |
77
|
|
|
|
|
|
|
where to truncate the session ID. Without this argument, the session ID will |
78
|
|
|
|
|
|
|
be 32 hexadecimal characters long, equivalent to a 128-bit key. |
79
|
|
|
|
|
|
|
|
80
|
|
|
|
|
|
|
=head1 AUTHOR |
81
|
|
|
|
|
|
|
|
82
|
|
|
|
|
|
|
This module was written by Jeffrey William Baker <jwbaker@acm.org>. |
83
|
|
|
|
|
|
|
|
84
|
|
|
|
|
|
|
=head1 SEE ALSO |
85
|
|
|
|
|
|
|
|
86
|
|
|
|
|
|
|
L<Apache::Session> |