tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Funk <>
Subject Re: Why are manager session tokens generated with MD5 by default?
Date Tue, 06 Jan 2009 13:02:16 GMT
Just turning the random number into a session id should sufficient and 
we can forget the MD5 altogether. But if someone figures out the seed 
and can guess future subsequent numbers, then they can guess future 
session ids.

By using a hashing algorithm - it makes it impossible to guess what 
numbers came from the random number generator.

If MD5 is so broken that a person can piece together a long enough 
sequence of numbers to figure out the seed - and guess future session 
ids - then we need to replace it.

But MD5 is not that broken.


Minoo Hamilton wrote:
> I'd like to re-raise an issue, since I didn't get too much of a 
> response, originally.  Who can I talk to to lobby to get the default 
> behavior of using MD5 session token hashes to change?  If you weren't 
> aware of it, there has been a recent and highly-publicized breaking of 
> SSL, by creating a rogue certificate authority, using collisions in 
> MD5.  Creating collisions in MD5 are no longer a "highly theoretical" 
> attack for potential session hijacking.  I'd very much like to see the 
> default behavior of Tomcat  session tokens become more secure by default 
> (possibly SHA-256).  I think the default hashing algorithm should not be 
> a known broken and insecure one.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message