There must be something seriously wrong with a.org

[Piru]

Because i just popped in from my pc and it thinks i'm logged in as Piru, when infact this is actually koaftder. Wayne, somethings up.

[Dennis]

 :-o

[Homer]

Koaftder: Could it be a metamorphosis  :lol:
Any other signs of change  :-o

[Piru]

Oh that's just great. Lets see if I appear as koaftder or someone else (this is the real Piru speaking).

[EDIT]Well it looks like I am me myself.[/EDIT]

[koaftder]

I don't know why it did that, i was logged in some 12 hours ago, and when i hit reply in another thread a few minutes ago it posted it as Piru. I was using tor when it did that.

[NoFastMem]

[motorollin]

Hmmmm, sounds like your sessions got mixed up or something. Scary!  :nervous:

--
moto

[coldfish]

I'm pretty sure that isnt Dennis up there either?

Am I me?

(Coldfish)

edit, yep!

glitch in the matrix.

[koaftder]

oops, well, now I'm koaftder. (really Piru)

scary...

[X-ray]

Dude...you missed out on some opportunity for pranks there, man.
Nothing serious of course, but if it was me I would have changed Piru's avatar to a boing ball and underneath, in the location field I would write "You just got boinged by X-ray!"

 :evilgrin:  :hat:  :-P

[Homer]

X-Ray: How can we be sure that its you  :crazy:

[NoFastMem]

Well, I know you're not Homer. Wrong shade of yellow. ;-)

[Karlos]

The session ID is only an MD5 hashcode at the end of the day. It has been demonstrated not so long ago that this algorithm has a collision rate several orders of magnitude greater than its theoretical limit.

Once you get sufficient users with enough login turnover, this problem can be difficult as the number of open sessions increases and with it the likelihood of collision.

More worrying is the fact that XOOPs itself uses MD5 hashcodes for various keys within its implementation.

Also, it is sometimes the case that in PHP, the session ID is passed on the URL if for some reason cookies aren't working and the page allows it (it will usually use an invisible form field in preference, if it can). If you ever see PHPSESSID=<32 character hex string> in your url, don't post it as a link ;-)


-- this post by the actual Karlos, accept no imitations!

[motorollin]

Wouldn't increasing the length of the session ID decrease the likelihood of a "collision"? Personally I use a 128 character key as the session ID when I'm writing a web app.

--
moto

[Karlos]

X-ray wrote:
Dude...you missed out on some opportunity for pranks there, man.
Nothing serious of course, but if it was me I would have changed Piru's avatar to a boing ball and underneath, in the location field I would write "You just got boinged by X-ray!"

 :evilgrin:  :hat:  :-P

I've been holding this one in reserve for just such an occasion:



;-)