更新时间:2023-09-28 20:15:58
UUID
生成是随机的,但是具有不良熵的随机意味着您最终会容易猜出UUID
.如果使用良好的随机数生成器,则可以生成可用于会话的UUID
.但是,要注意的是UUID
没有内置的预防重放,篡改,修复等功能,因此您必须自己处理(阅读:UUID本身不应该本身就被视为有效的会话ID).就是说,这是一个很好的代码片段,说明了如何使用python
生成安全的UUID
:
UUID
generation is random, but random with bad entropy means that you will end up with easy to guess UUID
s. If you use a good random number generator, you can generate UUID
s that can be used for sessions. The catch to this, however, is that UUID
s don't have built-in re-play prevention, tampering, fixation, etc., you have to handle that on your own (read: a UUID by itself shouldn't be considered a valid session ID by itself). That said, here's a good snippet for how you would generate a secure UUID
using python
: