commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phil Steitz <p...@steitz.com>
Subject Re: [id] UUID Version 4
Date Sat, 01 May 2004 14:36:44 GMT
Jörg,

Sorry for the latency.  I have been on the road.  See below.

> 
> Yes, all I really want is uniqueness, but again SessionIdGenerator implies
> for me, that uniqueness is only guaranteed during a session, i.e.
> restarting the application may produce id collisions?

The SessionIdGenerator should be OK for your use case, if I understand it 
correctly, unless application runs start at exactly the same system time 
(by resetting the system clock).  Have a look at the code here:

http://cvs.apache.org/viewcvs.cgi/jakarta-commons-sandbox/id/src/java/org/apache/commons/id/random/SessionIdGenerator.java?view=markup

to see exactly what it does, but basically the ids generated by this 
generator are made up of 6 random characters, followed by 3 characters 
based on system time, plus 1+ count characters to ensure that they plus 
the 3 time characters are unique (in case ids are generated faster than 
clock resolution).  The random characters are generated using a Random 
which is a (non-static) instance variable, initialized using the default 
(system time) seed.

Therefore, if two application runs start at precisely the same system 
clock time and each uses a singleton SessionIdGenerator to generate ids, 
generated ids could in theory collide; but if you don't mess with the 
system clock between subsequent runs, uniqueness should be preserved 
across runs.

Another factor to consider here is whether or not / how much you care if 
the generated ids can be spoofed.  Neither SessionIdGenerator nor the 
version 4 UUID are particularly secure from this standpoint (i.e., 
preventing a hacker from generating a valid identifier based on observed 
identifier values). The SecureRandom version of the version 4 UUID is 
better; but neither are as good as e.g., what tomcat does

http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/ManagerBase.java?view=markup

A "secure" package of secure random or signed identifier generators would 
make a good addition to [id].  As always, contributions are welcome :-)

Phil

> 
> Regards,
> Jörg
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: commons-user-help@jakarta.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org


Mime
View raw message