From 94015bb81d0cd8f4afdb0155816e2ae9d18e9f50 Mon Sep 17 00:00:00 2001 From: Bill Erickson Date: Wed, 9 Jun 2021 16:56:53 -0400 Subject: [PATCH] LP1901930 More randomization to auth session keys Testing with many parallel SIP clients using the same login credentials showed that it's possible to have a hash collision when two logins occur with the same second and using the same username when the same backend auth_internal process handles the request. This just adds more randomness to the hash generation. Signed-off-by: Bill Erickson --- Open-ILS/src/c-apps/oils_auth_internal.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Open-ILS/src/c-apps/oils_auth_internal.c b/Open-ILS/src/c-apps/oils_auth_internal.c index 948860f556..06039f38e1 100644 --- a/Open-ILS/src/c-apps/oils_auth_internal.c +++ b/Open-ILS/src/c-apps/oils_auth_internal.c @@ -340,8 +340,9 @@ int oilsAuthInternalCreateSession(osrfMethodContext* ctx) { // determine the auth/cache timeout long timeout = oilsAuthGetTimeout(userObj, login_type, org_unit); - char* string = va_list_to_string("%d.%ld.%ld", - (long) getpid(), time(NULL), oilsFMGetObjectId(userObj)); + char* string = va_list_to_string("%ld.%d.%ld.%ld", + random(), (long) getpid(), time(NULL), oilsFMGetObjectId(userObj)); + char* authToken = md5sum(string); char* authKey = va_list_to_string( "%s%s", OILS_AUTH_CACHE_PRFX, authToken); -- 2.11.0