id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
11729	session key should extract more entropy from time.time()	Ryan Kelly	nobody	"
The code to construct a new session key calls time.time() to get some additional entropy, but uses the ""%s"" format to mix it in.  The default precision for ""%s"" formatting is 2 decimal places, which throws away the bits with the highest entropy:

    
{{{
>>> for _ in xrange(5):
...     print ""%s"" % (time.time(),)
... 
1250468751.64
1250468751.64
1250468751.64
1250468751.64
1250468751.64
}}}



Attached is a simple patch to make it use ""%.20f"" instead, which is much more convincingly ""random"":

{{{
>>> for _ in xrange(5):
...     print ""%.20f"" % (time.time(),)
... 
1250468874.97280406951904296875
1250468874.97284793853759765625
1250468874.97286295890808105469
1250468874.97287893295288085938
1250468874.97289204597473144531
}}}


Cheers,

    Ryan"		closed	contrib.sessions	dev		wontfix			Unreviewed	1	0	0	0	0	0