Phobos randomUUID is not suitable to generate secrets

Cym13 cpicard at
Thu Sep 3 13:15:25 UTC 2020

On Wednesday, 2 September 2020 at 11:14:43 UTC, Kagamin wrote:
> On Monday, 31 August 2020 at 14:14:12 UTC, Cym13 wrote:
>> [1]
> or 
> But then how do you know that session ids are secrets and not 
> just ids?

In almost all implementations, when a session ID is used it is 
the information that identifies the user as logged in using a 
given account. That information is typically sufficient to obtain 
access to said account, so session IDs are typically secret. Of 
course you can imagine or find a counter-example, but it doesn't 
weaken the point: randomUUID is not suitable to generate secrets.

More information about the Digitalmars-d mailing list