On Wed, 26 Dec 2007 22:21:44 +0100, Edi Weitz wrote:
On Wed, 26 Dec 2007 21:09:37 +0000 (UTC), Sohail Somani sohail@taggedtype.net wrote:
In reality, it looks like this:
- (concatenate 'string *session-secret* id user-agent ip-address time-of-session-start)
And don't forget MD5. Even if the random number generator were weak, you'd have a hard time to figure out where in the random sequence you are, right?
Practically, yes. I think it still depends on the RNG and how much knowledge I have of your server setup.
To me, the documentation makes it seem like there is no randomness involved. I think it should mention that there is some randomness but the quality of the security is dependent on the quality of the RNG. In any case, Hunchentoot has done as close to an optimal job as is economical. In my highly unqualified opinion of course (IMHUQO?) :-)
but I don't know enough about the Lisp random number generators to say.
This is obviously implementation-dependent. Some Lisp implementations also offer more choices for random number generators, for example:
http://www.lispworks.com/documentation/lw50/LWRM/html/lwref-326.htm
Thanks! I've been meaning to try LW but SBCL is very nice to me so far :-)