tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jonathan Eric Miller" <jemil...@uchicago.edu>
Subject Re: Duplicate session IDs are *common*
Date Mon, 03 Mar 2003 22:38:09 GMT
It doesn't matter how improbable it is that a conflict will occur. If it's
at all possible for a conflict to occur, then you need to perform an
explicit uniqueness check. Any conflict, no matter how improbable is
unacceptable.

Jon

----- Original Message -----
From: "Eric Rescorla" <ekr@rtfm.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Friday, January 10, 2003 1:34 PM
Subject: Re: Duplicate session IDs are *common*


> Glenn Olander <glenn@greenoak.com> writes:
>
> > I think you may have misunderstood. I'm just pointing out that, from a
> > user's
> >
> > perspective, a good solution requires two elements:
> >
> > 1) a good PRNG, such as secureRandom
> > 2) a uniqueness guarantee
> >
> > I'm not saying a PRNG is unneeded. I'm just saying a good one like
> > PRNG is good
> >
> > enough as long as it is accompanied by a uniqueness guarantee. Are you
> > saying you
> >
> > want to remove the uniqueness guarantee?
> I'm saying that a strong PRNG with a sufficiently wide session
> ID provides a statistical probability of collision so low that
> there is no need to explicitly check for uniqueness.
>
> -Ekr
>
> --
> [Eric Rescorla                                   ekr@rtfm.com]
>                 http://www.rtfm.com/
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message