Jim Jagielski <[EMAIL PROTECTED]> writes:
> Of course, as you said, it depends on the range and the timespan.
>
> But it doesn't change the fact that randomness != uniqueness, which is
> what Glenn's point was I think.
Perhaps not from a theoretical persective, but from a practical
perspective it does. With a sufficiently large session ID, the
probability of a collision can be made vastly less than the
probability that some sort of programming error (or a hardware error)
making an invalid session appear valid.
As I said previously, the entire practice of modern security
depends on this.
-Ekr
--
[Eric Rescorla [EMAIL PROTECTED]]
http://www.rtfm.com/
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
