id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
296	HttpUseridModule lacks uniqueness in uid generation	Patrick Ellul		"Looking at the C code of this module, it seems that the UID generation is based on 4 things in order:

1) local_sockaddr
2) ngx_time
3) start time of nginx
4) sequence

However, these values are converted to uint32 before being htonl'ed.

Then they are sprintf'ed using %08XD

Also the resultant cookie is trimmed to 22 characters.

This means that the assigned uid is not very unique, not to mention quite predictable. 

When using this uid for session management, it makes it possible for users to intrude on other users sessions, perhaps even steal another user's session on purpose.

We discovered this from our production systems, when we noticed that the same uid was being given to hundreds of different clients.

The nature of our system is such that we receive massive bursts of requests in a small amount of time and hence the chance of this happening increases quite a lot.

A simple fix could be to use a long random string instead, possibly of configurable length."	defect	closed	minor		nginx-module	1.3.x	invalid	userid, security		Linux XXXXXX 3.2.34-55.46.amzn1.x86_64 #1 SMP Tue Nov 20 10:06:15 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux	nginx_1.2.5