tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Rescorla <...@rtfm.com>
Subject Re: Duplicate session IDs are *common*
Date Fri, 10 Jan 2003 19:34:14 GMT
Glenn Olander <glenn@greenoak.com> writes:

> I think you may have misunderstood. I'm just pointing out that, from a
> user's
> 
> perspective, a good solution requires two elements:
> 
> 1) a good PRNG, such as secureRandom
> 2) a uniqueness guarantee
> 
> I'm not saying a PRNG is unneeded. I'm just saying a good one like
> PRNG is good
> 
> enough as long as it is accompanied by a uniqueness guarantee. Are you
> saying you
> 
> want to remove the uniqueness guarantee?
I'm saying that a strong PRNG with a sufficiently wide session
ID provides a statistical probability of collision so low that
there is no need to explicitly check for uniqueness.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message