commons-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörg Schaible <Joerg.Schai...@Elsag-Solutions.com>
Subject RE: [id] UUID Version 4
Date Tue, 04 May 2004 07:32:03 GMT
Hi Phil,

Phil Steitz wrote on Saturday, May 01, 2004 4:37 PM:
> Sorry for the latency.  I have been on the road.  See below.

no problem.

>> Yes, all I really want is uniqueness, but again SessionIdGenerator
>> implies for me, that uniqueness is only guaranteed during a session,
>> i.e. restarting the application may produce id collisions?
> 
> The SessionIdGenerator should be OK for your use case, if I
> understand it correctly, unless application runs start at exactly the
> same 
> system time
> (by resetting the system clock).  Have a look at the code here:
> 
> http://cvs.apache.org/viewcvs.cgi/jakarta-commons-sandbox/id/s
> rc/java/org/apache/commons/id/random/SessionIdGenerator.java?v
> iew=markup 
> 
> to see exactly what it does, but basically the ids generated by this
> generator are made up of 6 random characters, followed by 3 characters
> based on system time, plus 1+ count characters to ensure that
> they plus
> the 3 time characters are unique (in case ids are generated
> faster than
> clock resolution).  The random characters are generated using
> a Random
> which is a (non-static) instance variable, initialized using
> the default
> (system time) seed.
> 
> Therefore, if two application runs start at precisely the same system
> clock time and each uses a singleton SessionIdGenerator to
> generate ids,
> generated ids could in theory collide; but if you don't mess with the
> system clock between subsequent runs, uniqueness should be preserved
> across runs. 
> 
> Another factor to consider here is whether or not / how much
> you care if
> the generated ids can be spoofed.  Neither SessionIdGenerator nor the
> version 4 UUID are particularly secure from this standpoint (i.e.,
> preventing a hacker from generating a valid identifier based
> on observed
> identifier values). The SecureRandom version of the version 4 UUID is
> better; but neither are as good as e.g., what tomcat does
> 
> http://cvs.apache.org/viewcvs.cgi/jakarta-tomcat-catalina/cata
lina/src/share/org/apache/catalina/session/ManagerBase.java?view=markup
>
>A "secure" package of secure random or signed identifier generators
>would make a good addition to [id].  As always, contributions are
>welcome :-) 

Thanks for your valuable explanation. You could add a lot of it to the package.html :)
As you've assumed the SessionIdGenerator will be enough in my situation. Luckily I have not
to make any security considerations in my case :)

Regards,
Jörg

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-user-help@jakarta.apache.org


Mime
View raw message