user log in and gain access to another user's session. I'm sure you can understand that
makes it a very serious bug for security-sensitive applications, perhaps even deserving
some kind of security alert announcement.
Tim's patch is robust and seems like a good candidate for inclusion in the source
at the earliest opportunity since it ensures that no duplicate session id's will be
commisioned (and ManagerBase already uses SecureRandom).
Eric Rescorla wrote:
The standard fix for this is to use a cryptographic pseudo-random number generator, such as Java's SecureRandom. SecureRandom automatically seeds itself from allegedly random system data. the probability that two sufficiently long random numbers (e.g. 16 bytes) will collide is vanishing. (E.g. with a 16-byte session ID, you'd have to generate > 2^60 session IDs to have a reasonable chance of collision.
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
