Yes, according to the J2EE specification, session IDs are supposed to be unique. From the description of the javax.server.http.HttpSession.getID() method:
"Returns a string containing the unique identifier assigned to this session. The identifier is assigned by the servlet container and is implementation dependent." Because this is "implementation dependent" the answer to your question "how are they created" depends on which servlet container you're using. If you're running CFMX/JRun you'll get one answer, if you're running WebSphere or WebLogic or JBoss you'll get different answers. Other than JBoss, which is open source, I doubt the other vendors are going to reveal their algorithms for generating unique session IDs. Vince Bonfanti New Atlanta Communications, LLC > I can't seem to find an answer to this anywhere - are J2EE sessionIDs > unique? That is, if I close/open the browser infinitely, am I > guaranteed not to duplicate IDs? What are they based on, how are > they created? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:270453 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4