From 3c02861c206ecc1267d8a8f24ffca53224d42ca5 Mon Sep 17 00:00:00 2001 From: Wali Reheman Date: Sat, 6 Jun 2026 09:02:25 -0400 Subject: [PATCH] Deprecate RandomSessionIdGenerator due to insufficient entropy (64-bit) Marks the class @Deprecated with a Javadoc pointing to JavaUuidSessionIdGenerator. Modern industry standards (OWASP ASVS, NIST SP 800-63B) require a minimum of 128 bits of entropy for session tokens. RandomSessionIdGenerator only provides 64 bits via Long.toString(SecureRandom.nextLong()). Fixes apache/shiro#2758 --- .../shiro/session/mgt/eis/RandomSessionIdGenerator.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/core/src/main/java/org/apache/shiro/session/mgt/eis/RandomSessionIdGenerator.java b/core/src/main/java/org/apache/shiro/session/mgt/eis/RandomSessionIdGenerator.java index d4249cd701..2e79dfd23b 100644 --- a/core/src/main/java/org/apache/shiro/session/mgt/eis/RandomSessionIdGenerator.java +++ b/core/src/main/java/org/apache/shiro/session/mgt/eis/RandomSessionIdGenerator.java @@ -30,7 +30,11 @@ * implementation is a {@link java.security.SecureRandom SecureRandom} with the {@code SHA1PRNG} algorithm. * * @since 1.0 + * @deprecated since 2.0. Use {@link JavaUuidSessionIdGenerator} instead. This class uses only 64 bits of entropy + * which is below modern industry minimums (128 bits per OWASP ASVS and NIST SP 800-63B) and poses + * a security risk if used in production. */ +@Deprecated public class RandomSessionIdGenerator implements SessionIdGenerator { private static final Logger LOGGER = LoggerFactory.getLogger(RandomSessionIdGenerator.class);