Eric Rescorla wrote: > > Glenn Olander <[EMAIL PROTECTED]> writes: > > 5) The strength of the PRNG is largely irrelevant > > > > As a user, I wouldn't trust any solution which lacks a check for > > duplicate session id's, regardless of the strength of the PRNG. > This doesn't seem to me to be a plausible position in view > of the fact that all of our security mechanisms absolutely > depend on statistical uniqueness of randomly generated large > numbers. >
These are 2 different points I think. If you randomly generate numbers between 1 and 1,000,000 you will, after a point in time, have duplicate numbers. In fact, all will be duplicated over some time. Valid and "trusted" session ids should be random and unique at the same time. PRNG takes care of one aspect. -- =========================================================================== Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ "A society that will trade a little liberty for a little order will lose both and deserve neither" - T.Jefferson -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
