Project

General

Profile

Actions

Defect #3351

closed

Weak autologin token generation algorithm causes duplicate tokens

Added by Alexander Pavlov over 15 years ago. Updated over 15 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
-
Category:
Accounts / authentication
Target version:
Start date:
2009-05-13
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

After switching to mod_passenger we got 7 (seven!) duplicated autologin tokens within 2 weeks. It caused some changes have been made under wrong user account!

Looks like due to using of pseudo-random sequence generator two concurrent Ruby processes may use the same random seed (and as result the same random sequence).

At our instance we made quick fix - prepend random sequence with "#{user.id}_" and substring left 40 chars, however, I guess there may be better solution.

Actions

Also available in: Atom PDF