Databases
StackOverflow2013
Postsdbo
POSession hash does size matter?
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POSession hash does size matter?
    text
    copied!<p>Does size matter when choosing the right algorithm to use for a session hash.</p> <p>I recently read this <a href="http://php-security.org/2010/05/09/mops-submission-04-generating-unpredictable-session-ids-and-hashes/index.html" rel="nofollow noreferrer">article</a> and it suggested using whirlpool to create a hash for session id. Whirlpool generates a 128 character hash string, is this too large?</p> <p>The plan is to store the session hash in a db. Is there much of a difference between maybe using 64 character field (sha256), 96 character field (sha384) or 128 character field (whirlpool)? One of the initial arguments made for whirlpool was the speed vs other algorithms but looking at the speed results sha384 doesn't fair too badly.</p> <p>There is the option truncate the hash to make it smaller than 128 characters.</p> <p>I did modify the original code snippet, to allow changing of the algorithm based of the needs.</p> <p><strong>Update</strong>: There was some discussion about string being hashed, so I've included the code.</p> <pre><code> function generateUniqueId($maxLength = null) { $entropy = ''; // try ssl first if (function_exists('openssl_random_pseudo_bytes')) { $entropy = openssl_random_pseudo_bytes(64, $strong); // skip ssl since it wasn't using the strong algo if($strong !== true) { $entropy = ''; } } // add some basic mt_rand/uniqid combo $entropy .= uniqid(mt_rand(), true); // try to read from the windows RNG if (class_exists('COM')) { try { $com = new COM('CAPICOM.Utilities.1'); $entropy .= base64_decode($com->GetRandom(64, 0)); } catch (Exception $ex) { } } // try to read from the unix RNG if (is_readable('/dev/urandom')) { $h = fopen('/dev/urandom', 'rb'); $entropy .= fread($h, 64); fclose($h); } // create hash $hash = hash('whirlpool', $entropy); // truncate hash if max length imposed if ($maxLength) { return substr($hash, 0, $maxLength); } return $hash; } </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload