So, I thought something like this would be addressed in the archives, but a search on "generate unique session id" didn't turn up anything fruitful. I'd guess that my scenario is hardly uncommon: generate a unique id that you can send in an email to a user (e.g. "http://foo.com/servlets/foo?uniqueId=abc123";) and when the user follows the link, you look up that uniqueId in your database and return some results. I think I've seen sites do something like this for resetting forgotten passwords or something. So, the id is only valid once, if the wrong person could guess how to generate a valid one, that would be bad since he could then appropriate someone else's account, etc. This seems like the kind of thing banks would have figured out a best practice means for doing =) Basically, I was looking for some pointers, sample code, etc. on generating a unique session id: 1. unique across server reboots, etc. --unique in perpetuity 2. unique so as to be used as the primary key in a database table, 3. computationally infeasible to guess a correct one (users will be able to see instances of these session id's, but given a session id or any number of them, they shouldn't be able to figure out how to generate another valid one themselves) In Jason Hunter's book, he has the following example: private static String generateSessionId() { String uid = new java.rmi.server.UID().toString(); return java.net.URLEncoder.encode(uid); } I can't seem to find references to java.rmi.server.UID() so I can't evaluate if this satisfies the requirements above. There's some discussion that's related to this in Bruce Schneier's Applied Crypto (page 427-ish) but I have to admit I don't quite follow the discussion enough to trust implementing it myself in Java. I'm so not a crypto person, but surely this is well-tread territory. Thanks in advance for any help! -Eddie _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
