perspective, a good solution requires two elements:
1) a good PRNG, such as secureRandom
2) a uniqueness guarantee
I'm not saying a PRNG is unneeded. I'm just saying a good one like PRNG is good
enough as long as it is accompanied by a uniqueness guarantee. Are you saying you
want to remove the uniqueness guarantee?
- Glenn
Eric Rescorla <[EMAIL PROTECTED]> writes:
Glenn Olander <[EMAIL PROTECTED]> writes:
5) The strength of the PRNG is largely irrelevant As a user, I wouldn't trust any solution which lacks a check for duplicate session id's, regardless of the strength of the PRNG.
This doesn't seem to me to be a plausible position in view of the fact that all of our security mechanisms absolutely depend on statistical uniqueness of randomly generated large numbers.
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
