tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Rescorla <...@rtfm.com>
Subject Re: Duplicate session IDs are *common*
Date Fri, 10 Jan 2003 19:31:36 GMT
Jim Jagielski <jim@jaguNET.com> writes:
> Of course, as you said, it depends on the range and the timespan.
> 
> But it doesn't change the fact that randomness != uniqueness, which is
> what Glenn's point was I think.
Perhaps not from a theoretical persective, but from a practical
perspective it does. With a sufficiently large session ID, the
probability of a collision can be made vastly less than the
probability that some sort of programming error (or a hardware error)
making an invalid session appear valid.

As I said previously, the entire practice of modern security
depends on this.

-Ekr


-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message