You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Jason Reid <jr...@agency.com> on 2000/05/19 23:36:38 UTC

RE: Huge security hole in tomcat sessions

> 2.  Use a better, cryptographically strong random number
>     generator instead of Math.random(), one that is seeded
>     by a source with sufficient entropy (and no, the value
>     of currentTimeMillis() at boot does not have enough
>     entropy).

java.security.SecureRandom, which extends Random, may be a good
starting point for this.  It is _not_ especially fast, however, 
and may be overly expensive for a site that does a lot of
session id generation.

	>	Jason Reid
		Technical Consultant
		AGENCY.COM
		100 Woodbridge Center Drive, Suite 102
		Woodbridge, NJ 07095
		Email: jreid@agency.com
		http://www.agency.com

		"Do not meddle in the affairs of programmers, 
		 for they are subtle and quick to anger."