I wondered why django was trying to create a unique key, so I looked it up with my neighbor.
How to create a session ID-Skotoprigonievsk communication
I couldn't find any code that took the OS pid in 1.4.2 at hand.
I have a method in django.contrib.sessions.base.SessionBase with _get_new_session_key (), but in it, get_random_string () in django.utils.crypto is used and it's probably the key-generating function.
crypto.py
def get_random_string(length=12,
allowed_chars='abcdefghijklmnopqrstuvwxyz'
'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'):
"""
Returns a securely generated random string.
The default length of 12 with the a-z, A-Z, 0-9 character set returns
a 71-bit value. log_2((26+26+10)^12) =~ 71 bits
"""
if not using_sysrandom:
# This is ugly, and a hack, but it makes things better than
# the alternative of predictability. This re-seeds the PRNG
# using a value that is hard for an attacker to predict, every
# time a random string is required. This may change the
# properties of the chosen random sequence slightly, but this
# is better than absolute predictability.
random.seed(
hashlib.sha256(
"%s%s%s" % (
random.getstate(),
time.time(),
settings.SECRET_KEY)
).digest())
return ''.join([random.choice(allowed_chars) for i in range(length)])
When useng_sysramdom is False Random.getstate (), time.time () and settings.SECRET_KEY are multiplied by SHA256 as a seed.
The using_sysramdom flag is set in crypto.py to determine if random.SysRandom is available. This is the same as the content of the above blog.
crypto.py
import random
try:
random = random.SystemRandom()
using_sysrandom = True
except NotImplementedError:
import warnings
warnings.warn('A secure pseudo-random number generator is not available '
'on your system. Falling back to Mersenne Twister.')
using_sysrandom = False
This is a ramdom value in the end, so I'm still wondering if it's a unique key, but I wonder if it's like this.
By the way, when I tried to make a unique value in the past, [Catalyst :: Plugin :: Session](http://cpansearch.perl.org/src/BOBTFISH/Catalyst-Plugin-Session-0.37/lib/Catalyst/Plugin /Session.pm) I borrowed (perl).
Session.pm
my $counter;
sub session_hash_seed {
my $c = shift;
return join( "", ++$counter, time, rand, $$, {}, overload::StrVal($c), );
}
# ~~ snip ~~
sub generate_session_id {
my $c = shift;
my $digest = $c->_find_digest();
$digest->add( $c->session_hash_seed() );
return $digest->hexdigest;
}
I haven't applied ramdom at the end, so I think this one is more unique, but I don't know.