Strengthening SessionCache.getNextSessionId

[michael-fig]

The current code looks like:

<pre>
private synchronized static String getNextSessionId() {
return Long.toString(sContextSeqNo++);
}
</pre>

I suggest replacing it with something that takes the account Id as a parameter, then does the following pseudocode:

1. Generate a large random number.
2. Stringify it and prepend the account ID.
3. If it's in the cache already, go back to step 1.
4. Return.

This will give the wonderful advantage of being able to pass sessionIDs back to the client without fearing that they'll be guessed by an attacker, especially when a servlet that doesn't use cookies is running.

[schemers]

Session Ids are useless without an authtoken, which is already cryptographically secure, and random. They are also tied to an authtoken, which means you can't take your authtoken and try to guess someone else's session id.