Copy link to clipboard
Copied
This question was posted in response to the following article: http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-70de.html
Copy link to clipboard
Copied
I'm confused about one aspect of UUIDs: In CF9 standard, if I check the "Use UUID for CKToken", it generates a token that has the 8-4-4-16 character group, but in a addition, it is prefixed by another string, so that the CFTOKEN returned looks something like this: 360353802d5624bb-AD53DEC4-E04D-3E5F-F75EA5F06E6AD3A5. Because of that extra prefix, if I try to write the CFToken to a database table, and use it throws the following error:
ERROR INFORMATION:
The cause of this output exception was that: coldfusion.tagext.sql.QueryParamTag$InvalidDataException: Invalid data value 360353802d5624bb-AD53DEC4-E04D-3E5F-F75EA5F06E6AD3A5 exceeds maxlength setting 50.
So, my questions are: when using UUID for CFToken, what should the maxlength be set to to ensure successful writes, where is the prefix before the 8-4-4-16 character group coming from, and what does that prefix represent?
Thanks,
Michael
Copy link to clipboard
Copied
ColdFusion prepends the UUID with 16 random hexadecimal characters to make the CFToken even more unique. See the section "Ensuring CFToken uniqueness and security" in the livedocs on managing the client state.
Copy link to clipboard
Copied
ColdFusion prepends the UUID with 16 random hexadecimal characters to make the CFToken even more unique. See the section "Ensuring CFToken uniqueness and security" in the livedocs on managing the client state.
Because, like, a UUID is not unique enough already.
😐
I do wonder about them (Adobe) sometimes. [Shrug]. Maybe there's some good reason to do this that I'm not seeing.
--
Adam
Copy link to clipboard
Copied
The random string is not meant to make the token more unique, it is meant to make it random. UUIDs are plenty unique, but A CF UUID is not random. For a token to be a quality session token it must be random, hence the extra string.
Copy link to clipboard
Copied
Yeah... OK. But only the first four bytes of a CF UUID is not random. The rest is. So I really don't see the benefit still. I suppose "more numbers" means "more randomness", but they've already got 96-bits worth of random there. That's quite a lot.
--
Adam
Copy link to clipboard
Copied
Is that documented anywhere? Because I do not think that is true. I don't think that CF UUIDs are anywhere near that random (if random at all). Perhaps it has changed over the years, but in the past CF would produce UUIDs like this:
1330544F-C09F-F023-3B5732BB3AB1E6FC
1330546E-C09F-F023-3B427B03747AD651
1330547E-C09F-F023-3B32F655A3898333
1330548D-C09F-F023-3B272F4E96E41BED
1330549D-C09F-F023-3B342477C11A9E36
Now they appear to be better
B7D7C0B8-B308-5369-EFC0BE4E04761AE2
B7D7C0BB-E912-DFB2-214CA7DB792CE7E8
B7D7C0BC-DA8E-AC19-E975FC9328DF931F
B7D7C0BD-DD8B-D5C5-4BE0F86B97BDE54F
B7D7C0BE-F2D2-E4B8-5E5D4DEDD32E54CF
But for whatever reason clearly it was not deemed sufficient. Perhaps it was pressure from those that wanted something more for PCI compliance. I certainly don't think it was a bad move or anything. The more randomness the better.
jason
Copy link to clipboard
Copied
Is that documented anywhere?
Documented? Not that I'm aware of. But I was looking at the source code of the createUuid() function (in CF9).
--
Adam
Copy link to clipboard
Copied
Good enough for me.
Jason
Copy link to clipboard
Copied
12Robots wrote:
The random string is not meant to make the token more unique, it is meant to make it random.
Actually, more unique means random!
Copy link to clipboard
Copied
No, it doesn't. I could increment numbers 1,2,3,4,5,6,7 and guarantee uniquiness. But they certainly are not random. Uniqueness and Random are not the same thing.
Jason
Copy link to clipboard
Copied
12Robots wrote:
No, it doesn't. I could increment numbers 1,2,3,4,5,6,7 and guarantee uniquiness. But they certainly are not random. Uniqueness and Random are not the same thing.
In your example, uniqueness means distinctness. The list you give is deterministic.
In the above context (of CFToken) uniqueness and randomness are synonymous. They are both measures of the effectiveness of the random generator. In this sense, uniqueness means that, if you pick one CFToken from an extremely large list of CFTokens generated by ColdFusion, the probability of there being another one identical to it is negligible. Randomness means, if you pick any arbitrary number of consecutive CFTokens in the list, you will be unable to find an algorithm to use them to predict the next one.
Copy link to clipboard
Copied
In the above context (of CFToken) uniqueness and randomness are synonymous. They are both measures of the effectiveness of the random generator. In this sense, uniqueness means that, if you pick one CFToken from an extremely large list of CFTokens generated by ColdFusion, the probability of there being another one identical to it is negligible. Randomness means, if you pick any arbitrary number of consecutive CFTokens in the list, you will be unable to find an algorithm to use them to predict the next one.
While they are both measures of the effectiveness of the random number generator, they do not mean the same thing, regardless of within what context they're used.
Dave Watts, CTO, Fig Leaf Software
Copy link to clipboard
Copied
BKBK wrote:
In the above context (of CFToken) uniqueness and randomness are synonymous. They are both measures of the effectiveness of the random generator. In this sense, uniqueness means that, if you pick one CFToken from an extremely large list of CFTokens generated by ColdFusion, the probability of there being another one identical to it is negligible. Randomness means, if you pick any arbitrary number of consecutive CFTokens in the list, you will be unable to find an algorithm to use them to predict the next one.
Dave Watts wrote:
While they are both measures of the effectiveness of the random number generator, they do not mean the same thing, regardless of within what context they're used.
A statement with just the bare bones and no beef gives us little to chew on. As an aside, I do believe that the clause "regardless of within what context" exists out of the realms of language and logic. For context is one of the fundaments of language and logic. I'll leave it here, lest the argument stray even further away from the CFToken.
Copy link to clipboard
Copied
I will simplify it for you. There is no context in which uniqueness and randomness mean the same thing. Period. There is nothing here for you to "chew on" - it's a very simple thing.
As an aside, you'll have to forgive me if I don't rely on your explanation of the realms of language and logic.
Dave Watts, CTO, Fig Leaf Software
Copy link to clipboard
Copied
Dave Watts wrote:
There is no context in which uniqueness and randomness mean the same thing.
This statement is of course untrue. You state, but fail to expound. By beef, I meant you could, for example, expound on the lack of equivalence between uniqueness and randomness in a few contexts of your own choosing.
You mentioned the random number generator, so we're in the domain of mathematics, computing, physics and logic. Take your pick. You may want to show the lack of equivalence between uniqueness and randomness in the sense of Gauss, Lyapunov or Kolmogorov, in the sense of Turing and predicate logic, or in the sense of Markov, Wiener or chaotic dynamics.
Above, I explained a context in which uniqueness implies randomness, and where randomness implies uniqueness. Equivalence follows. It may also be that I'm wrong. However, if you do not come up with a substantial argument, then we should just agree to differ and leave it at that.
Copy link to clipboard
Copied
Wiener
Well you're definitely being one of those.
😉
--
Adam
Copy link to clipboard
Copied
Adam Cameron. wrote:
Wiener
Well you're definitely being one of those.
😉
I'm not worthy.
Norbert Wiener:
- graduated from high school at 11
- obtained a degree in Mathematics at 14
- obtained a Ph.D. from Harvard at 17
- made significant contributions in computing, robotics, mathematics, physics, logic, biology, just to name some.
Copy link to clipboard
Copied
Above, I explained a context in which uniqueness implies randomness, and where randomness implies uniqueness. Equivalence follows. It may also be that I'm wrong. However, if you do not come up with a substantial argument, then we should just agree to differ and leave it at that.
Mutual implication between two things does not make them equivalent, no matter how much you seem to think it does, and no matter what context you explain. I don't see how an argument can be more substantial than one that relies on the plain meaning of two words.
Dave Watts, CTO, Fig Leaf Software
Copy link to clipboard
Copied
BKBK wrote:
Above, I explained a context in which uniqueness implies randomness, and where randomness implies uniqueness. Equivalence follows. It may also be that I'm wrong. However, if you do not come up with a substantial argument, then we should just agree to differ and leave it at that.
Dave Watts wrote:
Mutual implication between two things does not make them equivalent, no matter how much you seem to think it does, and no matter what context you explain.
You are again wrong. If x implies y and y implies x, then x is equivalent to y (at least in the contexts of mathematics, computation and logic).
Copy link to clipboard
Copied
Dave Watts wrote:
Mutual implication between two things does not make them equivalent, no matter how much you seem to think it does, and no matter what context you explain.
You are again wrong. If x implies y and y implies x, then x is equivalent to y (at least in the contexts of mathematics, computation and logic).
Words are not numeric expressions. Sentences are not solvable equations.
Dave Watts, CTO, Fig Leaf Software
Copy link to clipboard
Copied
Dave Watts wrote:
Mutual implication between two things does not make them equivalent, no matter how much you seem to think it does, and no matter what context you explain.
BKBK wrote:
You are again wrong. If x implies y and y implies x, then x is equivalent to y (at least in the contexts of mathematics, computation and logic).
Dave Watts wrote:
Words are not numeric expressions. Sentences are not solvable equations.
That statement doesn't only apply to numeric expressions. It is a universally accepted fact in logic.
So, let me oblige, using sentences. If one sentence implies another, and the second implies the first, then the 2 sentences are equivalent.
Copy link to clipboard
Copied
That statement doesn't only apply to numeric expressions. It is a universally accepted fact in logic.
So, let me oblige, using sentences. If one sentence implies another, and the second implies the first, then the 2 sentences are equivalent.
This is where I sighed, but I guess you couldn't hear that.
Here is a very simple counterexample. One sentence can, of course, imply more than one thing. If one sentence implies a second and a third, and the second implies the first but not the third, they are clearly not equivalent. What you presumably meant was that if x implies y and only implies y, and vice-versa, then they are equivalent. Of course, that rarely happens with sentences that have any complexity at all. When it happens with words, we call those words "synonyms". So, again, mutual implication, alone, between two things does not make them equivalent.
Now, going back to the item in question. Here is your quote from a previous post:
"In the above context (of CFToken) uniqueness and randomness are synonymous. They are both measures of the effectiveness of the random generator. In this sense, uniqueness means that, if you pick one CFToken from an extremely large list of CFTokens generated by ColdFusion, the probability of there being another one identical to it is negligible. Randomness means, if you pick any arbitrary number of consecutive CFTokens in the list, you will be unable to find an algorithm to use them to predict the next one."
This set of sentences contradict each other. Just because two things are required for a third thing, that does not mean that those two things are synonymous. And, in fact, you acknowledge that by GIVING DIFFERENT DEFINITIONS FOR THOSE TWO THINGS. Those two sentences DO NOT MEAN THE SAME THING. If they did, you could swap their definitional clauses like so:
"uniqueness means that, if you pick any arbitrary number of consecutive CFTokens in the list, you will be unable to find an algorithm to use them to predict the next one."
"randomness means that, if you pick one CFToken from an extremely large list of CFTokens generated by ColdFusion, the probability of there being another one identical to it is negligible."
Now, I notice that you did not do this. And, I suspect, you would not be inclined to say that you can, in fact, do this. That is because the two words mean different things, even in the context in which you used them.
Dave Watts, CTO, Fig Leaf Software
Copy link to clipboard
Copied
I see no development or new idea beyond my own, so I'll end here.
Copy link to clipboard
Copied
Your "new idea" seems to be that you can define words however you like, as Humpty-Dumpty would. So perhaps it's best you end here.
Dave Watts, CTO, Fig Leaf Software