On Tue, Nov 01, 2005 at 17:00:50 -0500, "Mark R. Dingee" <mark.dingee@cox.net> wrote:
> Bruno,
>
> I use an authenticate() function as a part of state maintenance in a PHP web
> app. In the function, I generate an encrypted token that is then used in the
> validation process on subsequent pages. md5 works, but I've been able to
> brute-force crack it very quickly, so I'm looking for an alternative. Any
> thoughts would be greatly appreciated.
This isn't a problem with MD5. While MD5 does have some theoretical weaknesses,
they aren't really an issue in this case.
Why are you using a hash at all? If you are using the hash as a key, why not
just use a random string instead? The web browser could be handed a session id
and random string and on the server you would have a table indexed by session
ids that includes the random string.
On many systems you can use /dev/urandom as a source of random data. Since
you don't seem to be concerned about sniffing, /dev/random is probably overkill
and having it block when low on entropy would probably be a problem for you.