Yes that's true if the monotonically increasing value is added to the random number _before_ the hash... and even worse, there is nothing that guarantees that two numbers won't hash to the same value so we're back to the duplicate session id problem.
What I was suggesting is adding the integer to the session id _after_ hashing: ASDFASFDASFDASF000000012 [hashed random][counter] This would guarantee that every session id is unique, and wouldn't require any synchronization (operator ++ on any integer smaller than a long is guaranteed atomic, right?). Jeff Schnitzer [EMAIL PROTECTED] The Sims Online -----Original Message----- From: Tim Funk Subject: Re: Duplicate session IDs? Date: Wed, 25 Dec 2002 05:54:27 -0800 Any kind of monotonic increase is bad security. Since everyone can view the source, everyone knows the algorithm. With enough brute force, someone can guess session ids. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
