tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Duplicate session IDs?
Date Mon, 30 Dec 2002 06:59:07 GMT

----- Original Message -----
From: "Eric Rescorla" <ekr@rtfm.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Sunday, December 29, 2002 10:05 PM
Subject: Re: Duplicate session IDs?


> "Schnitzer, Jeff" <JSchnitzer@maxis.com> writes:
> > Yes that's true if the monotonically increasing value is added to the
> > random number _before_ the hash... and even worse, there is nothing that
> > guarantees that two numbers won't hash to the same value so we're back
> > to the duplicate session id problem.
> >
> > What I was suggesting is adding the integer to the session id _after_
> > hashing:
> >
> > ASDFASFDASFDASF000000012
> > [hashed random][counter]
> >
> > This would guarantee that every session id is unique, and wouldn't
> > require any synchronization (operator ++ on any integer smaller than a
> > long is guaranteed atomic, right?).
>
> The standard fix for this is to use a cryptographic pseudo-random
> number generator, such as Java's SecureRandom. SecureRandom
> automatically seeds itself from allegedly random system data.
> the probability that two sufficiently long random numbers
> (e.g. 16 bytes) will collide is vanishing. (E.g. with a 16-byte
> session ID, you'd have to generate > 2^60 session IDs to have
> a reasonable chance of collision.
>

Nice to have you back Eric :-)

As far as I can tell, ManagerBase could really use your expertise on this.
The current algorithm is really bad :-(

> -Ekr
>
> --
> [Eric Rescorla                                   ekr@rtfm.com]
>                 http://www.rtfm.com/
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message