E S wrote: > > So, I thought something like this would be addressed in the archives, but a > search on "generate unique session id" didn't turn up anything fruitful. I'd > guess that my scenario is hardly uncommon: generate a unique id that you can > send in an email to a user (e.g. > "http://foo.com/servlets/foo?uniqueId=abc123";) and when the user follows the > link, you look up that uniqueId in your database and return some results. I > think I've seen sites do something like this for resetting forgotten > passwords or something. So, the id is only valid once, if the wrong person > could guess how to generate a valid one, that would be bad since he could > then appropriate someone else's account, etc. This seems like the kind of > thing banks would have figured out a best practice means for doing =) > > Basically, I was looking for some pointers, sample code, etc. on generating > a unique session id: > 1. unique across server reboots, etc. --unique in perpetuity > 2. unique so as to be used as the primary key in a database table, > 3. computationally infeasible to guess a correct one (users will be able to > see instances of these session id's, but given a session id or any number of > them, they shouldn't be able to figure out how to generate another valid one > themselves) > > In Jason Hunter's book, he has the following example: > private static String generateSessionId() { > String uid = new java.rmi.server.UID().toString(); > return java.net.URLEncoder.encode(uid); > } > > I can't seem to find references to java.rmi.server.UID() so I can't evaluate > if this satisfies the requirements above. > > There's some discussion that's related to this in Bruce Schneier's Applied > Crypto (page 427-ish) but I have to admit I don't quite follow the > discussion enough to trust implementing it myself in Java. > > I'm so not a crypto person, but surely this is well-tread territory. Thanks > in advance for any help! > Probably the simplest way is to create a 64bit random number (a long), try adding it to the database - if it fails beacuse it isnt unique, create annother one and try again. (if that happens, then either you've been _stunningly_ unlucky, or you have a poor random number generator). Tim. > -Eddie > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > ___________________________________________________________________________ > To unsubscribe, send email to [EMAIL PROTECTED] and include in the body > of the message "signoff SERVLET-INTEREST". > > Archives: http://archives.java.sun.com/archives/servlet-interest.html > Resources: http://java.sun.com/products/servlet/external-resources.html > LISTSERV Help: http://www.lsoft.com/manuals/user/user.html ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
