tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <>
Subject Re: Duplicate session IDs?
Date Mon, 30 Dec 2002 10:07:11 GMT
Bill Barker wrote:
>>"Schnitzer, Jeff" <> writes:
>>The standard fix for this is to use a cryptographic pseudo-random
>>number generator, such as Java's SecureRandom. SecureRandom
>>automatically seeds itself from allegedly random system data.
>>the probability that two sufficiently long random numbers
>>(e.g. 16 bytes) will collide is vanishing. (E.g. with a 16-byte
>>session ID, you'd have to generate > 2^60 session IDs to have
>>a reasonable chance of collision.
> Nice to have you back Eric :-)
> As far as I can tell, ManagerBase could really use your expertise on this.
> The current algorithm is really bad :-(

Yes, it would be nice to have a new one for Tomcat 5.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message