On Wed, 8 Jan 2003, Aditya wrote:
> Date: Wed, 08 Jan 2003 22:36:58 -0800 > From: Aditya <[EMAIL PROTECTED]> > Reply-To: Tomcat Developers List <[EMAIL PROTECTED]> > To: Tomcat Developers List <[EMAIL PROTECTED]> > Subject: Re: Duplicate session IDs are *common* > > > On Wed, 08 Jan 2003 19:37:28 -0800, Costin Manolache <[EMAIL PROTECTED]> said: > > The default is java.security.SecureRandom - and should give enough > > randomness. There is a change on head ( that would work with 5.0 - > > but it can be backported ) that allow you to use /dev/urandom ( or > > another source - it can be a pipe or something like that ). > > what about "hashing" the random part with System.currentTimeMillis() > so that even the vanishingly small probability of a collision is > avoided? Or would that be too expensive? > The better check is the one that has been implemented -- if whatever session id you just calculated (for a new session) is already in use, pick another one. > Adi Craig -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
