tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Rescorla <>
Subject Re: Duplicate session IDs are *common*
Date Fri, 10 Jan 2003 19:31:36 GMT
Jim Jagielski <> writes:
> Of course, as you said, it depends on the range and the timespan.
> But it doesn't change the fact that randomness != uniqueness, which is
> what Glenn's point was I think.
Perhaps not from a theoretical persective, but from a practical
perspective it does. With a sufficiently large session ID, the
probability of a collision can be made vastly less than the
probability that some sort of programming error (or a hardware error)
making an invalid session appear valid.

As I said previously, the entire practice of modern security
depends on this.


[Eric Rescorla                         ]

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message