tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Rescorla <...@rtfm.com>
Subject Re: Duplicate session IDs are *common*
Date Fri, 10 Jan 2003 18:08:13 GMT
Glenn Olander <glenn@greenoak.com> writes:
> 5) The strength of the PRNG is largely irrelevant
> 
> As a user, I wouldn't trust any solution which lacks a check for
> duplicate session id's, regardless of the strength of the PRNG.
This doesn't seem to me to be a plausible position in view
of the fact that all of our security mechanisms absolutely
depend on statistical uniqueness of randomly generated large
numbers.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message