HttpUseridModule lacks uniqueness in uid generation
|Reported by:||Patrick Ellul||Owned by:|
|uname -a:||Linux XXXXXX 3.2.34-55.46.amzn1.x86_64 #1 SMP Tue Nov 20 10:06:15 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux|
Looking at the C code of this module, it seems that the UID generation is based on 4 things in order:
3) start time of nginx
However, these values are converted to uint32 before being htonl'ed.
Then they are sprintf'ed using %08XD
Also the resultant cookie is trimmed to 22 characters.
This means that the assigned uid is not very unique, not to mention quite predictable.
When using this uid for session management, it makes it possible for users to intrude on other users sessions, perhaps even steal another user's session on purpose.
We discovered this from our production systems, when we noticed that the same uid was being given to hundreds of different clients.
The nature of our system is such that we receive massive bursts of requests in a small amount of time and hence the chance of this happening increases quite a lot.
A simple fix could be to use a long random string instead, possibly of configurable length.