On Thu, Jun 16, 2016 at 10:52 AM, Rémy Maucherat <r...@apache.org> wrote:
You're basically asking for all products to > behave the same because it would be nicer for your own product. I can assure you I'm not. I simply wanted to explore the possibility of Tomcat behaving the same way. I didn't want to prescribe a solution but you appear to have assumed that I want to change Tomcat's default behaviour for everyone. That's not the case. I would be quite happy if Tomcat made it easy for an embedder to configure it in such a way that the use of SecureRandom during startup could be disabled. Spring Boot could enable this option by default thereby allowing users, without them configuring anything, to only pay to cost of session ID generation if their application actually generates a session ID. That's fine, but choice is good. > Indeed it is. That's why I'd like a choice to defer the use of SecureRandom until it's actually needed. Andy