Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack

["Stuart D. Gathman" <stuart () gathman org>]

On Thu, 2019-12-19 at 00:33 +0500, Alexander E. Patrakov wrote:
> > The session id itself may be generated randomly, but the way the
> > session is indexed by the backing store does not use a secure
> > comparison.
>
> I don't understand why this is reported as something Rack-specific.
>
> On the other hand, I don't see how a timing attack would be possible
> on the most common data structures (B-Tree and Hash) used for
> database indexes.

My B-tree uses minimum unique key with leading duplicates not stored
for all but the leaf nodes - so it would also (eventually - there is so
much noise in the timing measurement) give away the key via timing
attacks.  

I had not thought of that angle, and I hope I remember this the next
time I am reinventing session ids.  Now I'm also wondering about other
libraries that manage session ids.  Java servlets in  Apache Tomcat?