Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

Generating a truly unique session id  RSS feed

 
Rishi Singh
Ranch Hand
Posts: 321
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi All,
Basically, I was looking for some pointers, sample code, etc. on
generating
a unique session id:
1. unique across server reboots, etc. --unique in perpetuity
2. unique so as to be used as the primary key in a database table,
3. computationally infeasible to guess a correct one (users will be able to see instances of these session id's, but given a session id or any
number of them, they shouldn't be able to figure out how to generate another valid one themselves)
In Jason Hunter's book, he has the following example:
private static String generateSessionId() { String uid = new java.rmi.server.UID().toString();
return java.net.URLEncoder.encode(uid);
}
I can't seem to find references to java.rmi.server.UID() so I can't
evaluate
if this satisfies the requirements above.
There's some discussion that's related to this in Bruce Schneier's
Applied
Crypto (page 427-ish) but I have to admit I don't quite follow the
discussion enough to trust implementing it myself in Java.
I'm so not a crypto person, but surely this is well-tread territory.
Thanks
in advance for any help!
 
William Brogden
Author and all-around good cowpoke
Rancher
Posts: 13078
6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The java.rmi.server.UID docs say
Creates a pure identifier that is unique with respect to the host on which it is generated. This UID is unique under the following conditions: a) the machine takes more than one second to reboot, and b) the machine's clock is never set backward. In order to construct a UID that is globally unique, simply pair a UID with an InetAddress.
Since: JDK 1.1
Bill
 
Madhav Lakkapragada
Ranch Hand
Posts: 5040
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
and b) the machine's clock is never set backward.
Not to disagree with your comments Bill, but
just curious, why would this be a requirement?
Technically speaking...
Thanks.
- madhav
ps:
I love to add such requirements when I author a "requirements document", hence the curiosity.
[ May 23, 2002: Message edited by: Madhav Lakkapragada ]
 
James Swan
Ranch Hand
Posts: 403
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I would assume the algorithm has a dependency on using the current time from the host machine.
If you set the time on the machine to a date in the past, there would be a random chance that it could create a prevously used id.
 
Rishi Singh
Ranch Hand
Posts: 321
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
well madhav,
I guess the requriments stems out from the fact when someone tries to malign your site by guessing ids with malicious code
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!