Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 55452 invoked from network); 10 Jan 2003 18:03:51 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 10 Jan 2003 18:03:51 -0000 Received: (qmail 23369 invoked by uid 97); 10 Jan 2003 18:05:06 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 23349 invoked by uid 97); 10 Jan 2003 18:05:05 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 23337 invoked by uid 98); 10 Jan 2003 18:05:04 -0000 X-Antivirus: nagoya (v4218 created Aug 14 2002) Sender: ekr@romeo.rtfm.com To: "Tomcat Developers List" Subject: Re: Duplicate session IDs are *common* References: <1042214027.15859.ezmlm@jakarta.apache.org> <3E1EF537.5EDF9C93@greenoak.com> Reply-To: EKR From: Eric Rescorla Date: 10 Jan 2003 10:08:13 -0800 In-Reply-To: <3E1EF537.5EDF9C93@greenoak.com> Message-ID: Lines: 15 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Glenn Olander writes: > 5) The strength of the PRNG is largely irrelevant > > As a user, I wouldn't trust any solution which lacks a check for > duplicate session id's, regardless of the strength of the PRNG. This doesn't seem to me to be a plausible position in view of the fact that all of our security mechanisms absolutely depend on statistical uniqueness of randomly generated large numbers. -Ekr -- [Eric Rescorla ekr@rtfm.com] http://www.rtfm.com/ -- To unsubscribe, e-mail: For additional commands, e-mail: