Implementations differ, but you should *not* use the session as a security feature -- that's not its intent. Use SSL and client certs if you really need to be secure. Rod McChesney, Korobra Corporation Robert A. Crawford wrote: > > On Wed, Mar 17, 1999 at 11:38:35AM +0100, C�dric Janssens wrote: > > Hye folks, > > Does anyone have information on the logic used to generate session id in the > > servlet ? > > I can't find any implementation constraint in the JSDK 2.1 API. > > So each servlet enginer has its own implementation? > > Is it secure? That is to say randomly generated with a good random algorithm > > ...? > > It's dependent on the servlet engine. Apache JServ, for > example, uses an algorithm that's pretty good at generating unique > IDs -- a long random number, the server time in milliseconds, and a > session count, concatenated together. You'd have to cycle through > an int's worth of sessions _and_ get the same hit on the random > number generator all in the same millisecond. > > -- > Robert Crawford [EMAIL PROTECTED] > http://www.iac.net/~crawford > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
