Unique session id in python
UPDATE: 2016-12-21
A lot has happened in a the last ~5yrs. /dev/urandom has been updated and is now considered a high-entropy source of randomness on modern Linux kernels and distributions. In the last 6mo we've seen entropy starvation on a Linux 3.19 kernel using Ubuntu, so I don't think this issue is "resolved", but it's sufficiently difficult to end up with low-entropy randomness when asking for any amount of randomness from the OS.
I hate to say this, but none of the other solutions posted here are correct with regards to being a "secure session ID."
# pip install M2Cryptoimport base64, M2Cryptodef generate_session_id(num_bytes = 16): return base64.b64encode(M2Crypto.m2.rand_bytes(num_bytes))Neither uuid() or os.urandom() are good choices for generating session IDs. Both may generate random results, but random does not mean it is secure due to poor entropy. See "How to Crack a Linear Congruential Generator" by Haldir or NIST's resources on Random Number Generation. If you still want to use a UUID, then use a UUID that was generated with a good initial random number:
import uuid, M2Cryptouuid.UUID(bytes = M2Crypto.m2.rand_bytes(num_bytes)))# UUID('5e85edc4-7078-d214-e773-f8caae16fe6c')or:
# pip install pyOpenSSLimport uuid, OpenSSLuuid.UUID(bytes = OpenSSL.rand.bytes(16))# UUID('c9bf635f-b0cc-d278-a2c5-01eaae654461')M2Crypto is best OpenSSL API in Python atm as pyOpenSSL appears to be maintained only to support legacy applications.
Python 3.6 makes most other answers here a bit out of date. Versions including 3.6 and beyond include the secrets module, which is designed for precisely this purpose.
If you need to generate a cryptographically secure string for any purpose on the web, refer to that module.
https://docs.python.org/3/library/secrets.html
Example:
import secretsdef make_token(): """ Creates a cryptographically-secure, URL-safe string """ return secrets.token_urlsafe(16) In use:
>>> make_token()'B31YOaQpb8Hxnxv1DXG6nA'