Introduce SessionIdGenerationStrategy

[marcusdacoregio]

Issue gh-11

[rwinch]

Thanks for the PR. I've commented inline, but there appear to be places where the SessionIdGenerationStrategy is not used (I've commented inline there).

It also seems that there are probably some additional tests that should be written.

[rwinch]

Using a secure random number generator (eg generating a UUID) is a blocking operation so we may need a reactive equivalent of the SessionIdGenerationStrategy that does the generation on a different thread.

[rwinch]

Does this logic take into account changeSessionId()?

[marcusdacoregio]

I think we do not need a reactive equivalent since now the strategy is inside the session implementation

[rwinch]

The blocking operation is still happening on the event thread which should not occur

[jcranfordupgrade]

Is blocking caused by /dev/random? If so then fix the root cause, not the symptom.
=> Add an entropy generator in your VM

Caveat: If using Docker, put the generator in the host, and all containers will benefit from that shared kernel entropy pool.

Entropy generators for Linux:

1. Linux kernel 5.4+ => A new JITTER entropy generator was added. Many LTS/EL kernels back-ported that enhancement.
2. Linux kernel before 5.4 => Install haveged (JITTER), or rngd (JITTER, plus optional x86-only RDRAND)

Caveat: If you care about FIPS 140, disable all JITTER and only use a compliant entropy source (e.g. RDRAND on x86, or other third-party compliant entropy daemons/services).
Caveat: I have not seen SecureRandom blocking issues on macOS or Windows for years.

[jcranfordupgrade]

RHEL/CentOS case study:

• 9.x w/ kernel 5.14 => Built-in since 9.0 because kernel 5.4+ comes with JITTER
• 8.x w/ kernel 4.18 => Back-ported in a later 8.x, so update to latest 8.x
• 7.x w/ kernel 3.10 => Back-ported in a later 7.x, so update to latest 7.x
• 6.x w/ kernel 2.6.32 => Not back-ported, manually install haveged or rng-tools
• 5.x w/ kernel 2.6.18 => Same as above
• 4.x w/ kernel 2.6.9 => Same as above

[jcranfordupgrade]

If you are on an old Linux kernel, and can't install haveged/rng-tools, fall back to this old Java hack:
3. JVM system property at startup:-Djava.security.egd=file:/dev/urandom

Caveat: This is a security concern. It will lead to weak random data, especially right after a reboot when the entropy pool is empty.
Caveat: It probably only works for the default Sun/Oracle providers. Third-party crypto providers (e.g. Bouncy Castle) may or may not offer a workaround.