[EMAIL PROTECTED] wrote:
> <SessionIdGenerator useDevRandom="true"/>
Thanks. I figured it out after I asked that silly question. It must have
been the most brain dead question you had to answer in a while, I guess.
A good read of server.xml will get you a long way these days ;-)
> Note that the option will be disabled by default ( I'm even thinking of
> creating a new DevRandomGenerator and moving it in proposals, but the code
> doesn't affect in any way "normal" random generation and is simple
> enough).
>
> The main question is what happens on high load - can /dev/random generate
> randoms fast enough ? If not, probably we should use it only to initialize
> the java random genearator.
The problem with /dev/random is not 'can it generate random data fast
enough' but 'is there enough randomness in the system for it to be
generated'. /dev/random is implemented (on Linux) in the kernel, so the
generation itself should be as fast as you can get. Try something like
this on a Linux system that doesn't have anything happening in the
background:
- open two shells while in X Windows
- run 'cat /dev/random' in both
- don't touch the mouse/keyboard and after a while both cats will block
- move the mouse and they'll both continue spitting out 'random' data
So the main problem would probably be that if the system is idle for a
while, /dev/random would block. I was running this patch in Tomcat 3.2.1
in my production environment and never had that kind of problem. But
then again, who knows...
In reality the problem can be solved by simply touching something on the
disk, sending a packet or two using the NIC's or something else. Usually
the systems running Apache/Tomcat are busy serving packets anyway, so
that covers it.
If you wish, we can document all this and then people can make an
informed decision.
Bojan
