Return-Path: <Cristian_Southall@poyntons.com.au>
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 20128 invoked from network); 15 Aug 2000 06:31:50 -0000
Received: from poe.poyntons.com.au (203.19.16.20)
  by locus.apache.org with SMTP; 15 Aug 2000 06:31:49 -0000
Received: (from uucp@localhost)
	by poe.poyntons.com.au (8.8.8+Sun/8.8.8) id OAA07270
	for <tomcat-user@jakarta.apache.org>; Tue, 15 Aug 2000 14:30:42 +0800 (WST)
Message-Id: <s99953e2.025@hplperth.poyntons.com.au>
X-Mailer: Novell GroupWise 5.5.3
Date: Tue, 15 Aug 2000 14:29:30 +0800
From: "Cristian Southall" <Cristian_Southall@poyntons.com.au>
To: <tomcat-user@jakarta.apache.org>
Subject: session IDs
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

Hi.

My organisation is currently moving from an Oracle App Server environment =
to Tomcat. It would be nice to leverage Tomcat's convenient session =
management features but I have to convince my colleagues that the session =
IDs Tomcat issues are as 'secure' as those we currently build.

I understand that the security of a session ID - given that it does not =
actually encode any information (that I know of) - is simply how difficult =
it would be to anticipate or recreate the string Tomcat issues but I =
cannot find any info on how Tomcat arrives at the values offered as =
session IDs.=20

I would greatly appreciate it if someone could point me towards some =
relevant documentation/resources on this matter.

Thanks very much,
Cristian  =20

HP JDV Ltd, its Directors and Associates declare that they from time to time hold interests in/and or earn brokerage, fees or other benefits mentioned in documents to clients.
Any securities recommendation contained in this document is unsolicited general information only. Do not act on a recommendation without first consulting your investment advisor to determine whether the recommendation is appropriate for your investment objectives, financial situation and particular needs.
HP JDV Ltd believes that any information or advice (including any securities recommendation) contained in this document is accurate when issued. However, HP JDV Ltd does not warrant its accuracy or reliability. HP JDV Ltd, its officers, agents and employees exclude all liability whatsoever, in negligence or otherwise, for any loss or damage relating to this document to the full extent permitted by law.