7

I am going to uniquely identify a user by storing a unique ID in his/her cookie. HttpSession ID is a good choice from my google search. Just wanted to know how unique it is ? Is it unique to the webcontainer or once it expires , will it get regenerated ? If it repeats, all my user login can go for a toss.Need some expert opinion on using sessonID as a unique identifier for my users.

Tito
  • 8,894
  • 12
  • 52
  • 86
  • Seems safe to say this will vary based on which servlet container you use; which I think bolsters the idea that you could also just easily use a "unique id generator" of your own. – matt b Oct 21 '12 at 13:20

2 Answers2

8

Session IDs are unique and meaningful only for the lifetime of a session. A session ID identifies a session: nothing more, nothing less. It does not identify a user.

You cannot and should not rely on session IDs ever being reused, let alone for the same user.

Matt Ball
  • 354,903
  • 100
  • 647
  • 710
2

A session ID must uniquely identify a session on a server, or on a cluster of servers. You don't have any guarantee of uniqueness across restarts. Why don't you simply use a database sequence, or a UUID?

JB Nizet
  • 678,734
  • 91
  • 1,224
  • 1,255