tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: Duplicate session IDs are *common*
Date Fri, 10 Jan 2003 18:16:51 GMT
Eric Rescorla wrote:
> Glenn Olander <> writes:
> > 5) The strength of the PRNG is largely irrelevant
> > 
> > As a user, I wouldn't trust any solution which lacks a check for
> > duplicate session id's, regardless of the strength of the PRNG.
> This doesn't seem to me to be a plausible position in view
> of the fact that all of our security mechanisms absolutely
> depend on statistical uniqueness of randomly generated large
> numbers.

These are 2 different points I think. If you randomly generate numbers
between 1 and 1,000,000 you will, after a point in time, have
duplicate numbers. In fact, all will be duplicated over some time.
Valid and "trusted" session ids should be random and unique at the
same time. PRNG takes care of one aspect.

   Jim Jagielski   [|]   [|]
      "A society that will trade a little liberty for a little order
             will lose both and deserve neither" - T.Jefferson

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message