You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Jason Reid <jr...@agency.com> on 2000/05/19 23:36:38 UTC
RE: Huge security hole in tomcat sessions
> 2. Use a better, cryptographically strong random number
> generator instead of Math.random(), one that is seeded
> by a source with sufficient entropy (and no, the value
> of currentTimeMillis() at boot does not have enough
> entropy).
java.security.SecureRandom, which extends Random, may be a good
starting point for this. It is _not_ especially fast, however,
and may be overly expensive for a site that does a lot of
session id generation.
> Jason Reid
Technical Consultant
AGENCY.COM
100 Woodbridge Center Drive, Suite 102
Woodbridge, NJ 07095
Email: jreid@agency.com
http://www.agency.com
"Do not meddle in the affairs of programmers,
for they are subtle and quick to anger."