I am trying to implement a generation of HttpSession key
I am generating a random number between 1,000,000 to 9,999,999 and send it as a cookie to the user.
Is it possible to make this process secure? anyone can make a random number like that and try to access my server...maybe I need larger range?
another question is, how can I generate number that I haven't generate before? right now I regenerate every time that number is in use, is it possible to do it in a better way?
Use a UUID. Specifically, UUID.randomUUID(). Here's a discussion about the likelihood of collisions.
It sounds a lot like you're trying to implement some basic authentication. Something to try (in pseudo-code; I'm not great with Java on the web):
random_number = rand(1000000, 9999999);
secret = "Some random text here";
timestamp = unix_timestamp(); // Get a UNIX timestamp
user_ip = users_ip(); // Get the user's IP
setcookie("random_number", random_number); // Save the random number
setcookie("timestamp", timestamp);
setcookie("token", sha256(random_number + secret + timestamp + ip)); // Concat and hash everything to form a token
When you want to check if the random number is valid, just pull all the pieces back together and compare it to the token:
random_number = getcookie("random_number");
secret = "Some random text here";
timestamp = int(getcookie("timestamp"));
user_ip = users_ip(); // Get the user's IP
token = sha256(random_number + secret + timestamp + ip);
if(unix_timestamp() - timestamp < 0 || unix_timestamp() - timestamp > timeout) {
// The token is more than an hour old; it might have been stolen.
}
if(token == getcookie("token")) {
// The user is valid
} else {
// The user is invalid
}
This code will block someone from spoofing the random number by making sure it comes from the same IP. You can also use the timestamp stuff to make sure that the user's session expires over time. This'll keep hackers from simply generating a good number and using it forever.
As for the secret, that's a random text chunk. It should be completely random and never be shared. It basically makes your tokens virtually impossible to reverse engineer (otherwise, it's a matter of trying combinations like "number timestamp ip", "ip number timestamp", etc.).
It should also be noted that something like this could be better accomplished with HMAC, but that could be somewhat overkill for what you're looking to do. This solution will do a damn good job as-is.
Hope this helps.
EDIT
It should be noted that your secrets need to be the same for the verification to work.
I have asked my self the same question and found a great answer here: http://stackoverflow.com/questions/105034/how-to-create-a-guid-uuid-in-javascript/873856#873856
You better read more about RFC 4122 to see if this is what you meant.. I am using this pseudo code for a NodeJS project and it does the job.
BTW: You need more than 7 digits in order to be on the safe side..