Craig R. McClanahan wrote:
On Wed, 8 Jan 2003, Aditya wrote:
Date: Wed, 08 Jan 2003 22:36:58 -0800
From: Aditya <[EMAIL PROTECTED]>
Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>
To: Tomcat Developers List <[EMAIL PROTECTED]>
Subject: Re: Duplicate session IDs are *common*
On Wed, 08 Jan 2003 19:37:28 -0800, Costin Manolache <[EMAIL PROTECTED]> said:
The default is java.security.SecureRandom - and should give enough
randomness. There is a change on head ( that would work with 5.0 -
but it can be backported ) that allow you to use /dev/urandom ( or
another source - it can be a pipe or something like that ).
what about "hashing" the random part with System.currentTimeMillis()
so that even the vanishingly small probability of a collision is
avoided? Or would that be too expensive?
The better check is the one that has been implemented -- if whatever
session id you just calculated (for a new session) is already in use, pick
another one.
I think that is done in ManagerBase.java
Adi
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
