== Session IDs and the Birthday Paradox If you have a database (or in general some writable store), the best way to do authentication in a web app is with session ID cookies. Every time someone logs in, you pick a large random number to be their session ID, give them a cookie with the session ID, and then store all of the details in your database under the session ID. When they come back, you get the session ID cookie, look it up in the database, make sure it's (still) valid, and go. What prevents attackers from getting in is the difficulty of guessing a usable session ID. So, assuming you're using a good random number generator such as _/dev/urandom_ on Linux, how big do your session ID numbers have to be to make one infeasible to guess? This is a slight variant on the [['Birthday paradox' http://en.wikipedia.org/wiki/Birthday_paradox]] problem. With _N_ items and _M_ possible values they can have, the basic Birthday paradox approximation is (in Python notation): > _1 - [[exp( (-(N*(N-1))) / (2*M))|]]_ (call this *p(N, M)*.) To start with, let's say that you expect three million valid session IDs at a time; this might seem extreme, but [[LiveJournal http://www.livejournal.com]] currently has two million active users. I've made a handy little table of results: | Bits | Collision chance | 32 | 100% | 40 | 98.3% | 48 | 1.59% | 56 | 0.006% | 64 | 0.00002% | 72 | ~ 0% (Disclaimer: I *think* I, and Python, got the math right. Please feel free to correct me if I didn't. '~ 0%' means 'so small that it prints as 0'; the collision chance is clearly never literally 0.) So 72 bits (9 bytes) should be pretty durn safe. It even remains safe at 30 million valid session IDs, which is a pretty good sign that people trying to guess valid session IDs will be there for a long, long time. If you expect 300 million valid session IDs, you'll want to go to more bits. On most modern systems, the easy way to get this much good randomness is just to read however many bytes you need from _/dev/urandom_. (Please don't try to make up your own random number generator. The security world is littered with the shattered remnants of people who tried that.) === More probability and math Now, this isn't quite the answer to the question I posed at the start, which I can rephrase as: > Starting with _N_ unique session IDs out of _M_ possible values, what > are the odds of finding a duplicate in _R_ additional guesses? The figures I gave are somewhat of a handwave about, effectively, *p(N+R, M)*, which is more or less the same as *p(N, M)* if _R_ is (very) small compared to _N_. A friend pointed out that this is just the probability of making _R_ different wrong guesses, so the full expression for the probability is: > [[1 - (1 - N/M) * (1 - N/(M-1)) * ... * (1 - N/(M-R))|]] (Update: actually the terms should run only to (M-(R-1)).) However, computing this for large _R_s is irksome (unless you have a good symbolic math package around), and I don't know if there's a good approximation or summation. I think *p(N+R, M) - p(N, M)* might be close, although that sort of overcounts by roughly *p(R, M)* (since the attacker's values will be non-colliding if the attacker has any brains). === Sidebar: giving everyone on earth a randomly assigned unique ID Let's assume that we wanted to randomly assign everyone on earth a numeric ID, and be relatively sure that there were no collisions. How large a bit space would we need? To have a margin for error, let's use a world population figure of ten billion. | Bits | Collision chance | 64 | 93.35% | 72 | 1.05% | 80 | 0.004% | 88 | 0.000016% | 96 | 0.000000063% | 104 | 0.0000000002% | 128 | 0.000000000000000014% | 160 | ~ 0% (These figures are from _bc_, because _python_ ran out of precision. MD5 hashes are 128 bits and SHA1 hashes are 160 bits.)