perl-Session-Token - Secure, efficient, simple random session token generation
||ALT Linux Sisyphus
This module provides a secure, efficient, and simple interface for creating session tokens, password reset codes, temporary passwords, random identifiers, and anything else you can think of.
When a Session::Token object is created, 1024 bytes are read from `/dev/urandom' (Linux, Solaris, most BSDs), `/dev/arandom' (some older BSDs), or the Crypt::Random::Source::Strong::Win32 manpage (Windows). These bytes are used to seed the ISAAC-32 pseudo random number generator.
Once a generator is created, you can repeatedly call the `get' method on the generator object and it will return a new token each time.
IMPORTANT: If your application calls `fork', make sure that any generators are re-created in one of the processes after the fork since forking will duplicate the generator state and both parent and child processes will go on to produce identical tokens (just like perl's the rand manpage after it is seeded).
After the generator context is created, no system calls are used to generate tokens. This is one way that Session::Token helps with efficiency. However, this is only important for certain use cases (generally not web sessions).
ISAAC is a cryptographically secure PRNG that improves on the well-known RC4 algorithm in some important areas. For instance, it doesn't have short cycles or initial bias like RC4 does. A theoretical shortest possible cycle in ISAAC is `2**40', although no cycles this short have ever been found (and probably don't exist at all). On average, ISAAC cycles are `2**8295'.
Creators of server applications must choose whether a single generator will be kept around and used to generate all tokens, or if a new Session::Token object will be created every time a token is needed.
Generally speaking the generator should be kept around and re-used. Probably the most important reason for this is that generating a new token from an existing generator cannot fail due to a full file descriptor table. Creating a new Session::Token object for every token can fail because the constructor opens `/dev/urandom' which will not succeed if all allotted descriptors are in use. Programs that re-use the generator are also more efficient and are less likely to cause problems in `chroot'ed environments where `/dev/urandom' can no longer be opened.
However, re-using a generator may be undesirable because servers are typically started immediately after a system reboot and the kernel's randomness pool might be poorly seeded at that point meaning that all subsequently generated tokens may be based on a weak/predictable seed. For this reason, you might choose to defer creating the generator until the first request actually comes in and/or periodically re-create the generator object.
Aside: Some crappy (usually C) programs that assume opening `/dev/urandom' will always succeed can return session tokens based only on the contents of nulled or uninitialised memory (unix really ought to provide a system call for random data). Session::Token throws an exception if it can't seed itself.
- Add the following line to /etc/apt/sources.list:
rpm [Sisyphus] http://ftp.altlinux.org/pub/distributions/ALTLinux/autoimports/Sisyphus x86_64 autoimports
rpm [Sisyphus] http://ftp.altlinux.org/pub/distributions/ALTLinux/autoimports/Sisyphus noarch autoimports
- Update the package index:
# sudo apt-get update
- Install perl-Session-Token rpm package:
# sudo apt-get install perl-Session-Token