Hi Emile,
> According to the spec, session IDs must be random and globally unique.
The spec doesn't require global uniqueness, only
"IDs in the global scope MUST be drawn randomly from a uniform
distribution over the complete range [1, 2^53]"
https://wamp-proto.org/wamp_bp_latest_ietf.html#name-ids
But actually I think the spec is really lacking, "global scope" might be
misleading, and in any case, it's nowhere explained.
If you need a globally unique session ID that is unique both in space
and in time, 53 bits aren't enough.
Practically, 128 bits should be fine, and one way to derive such a "long
term unique session ID" would be
SHA(session_id | session_started)
with session_started being the time the session joined on the router,
and SHA be SHA1 or SHA256 truncated to 128 bits, and | be the
concatenation of bytes.
Do you think discussing this stuff in the spec would be worth?
> I would prefer to do away with my session ID pool and use a PRNG that is
> guaranteed to produce no duplicates given any seed. Is there such a
> thing available?
A PRNG will necessarily repeat itself sooner or later (this time is
called the "period of the PRNG").
Since a PRNG run-time state is finite, how could it not repeat?
For run-time < period(PRNG), you can of course demand that no single
output repeats (this is different from the output sequence repeating,
which happens when the same internal state is encountered).
You can make any PRNG behave like this. You'll need period(PRNG) more
memory to store all output as internal state and then skip duplicates.
Of course the resulting program is "less random" than the original;)
Cheers,
/Tobias