The dispersion on connections expirations in the C++ native client works in such a way that it adds a dispersion (variance) between -9% and 9% over the time for a connection to expire due to load-conditioning so that, in the event of having many connections being created at the same, they do not expire at the right exact time.
Nevertheless, the current implementation has two problems:
- The randomness of the variance depends on the current time in seconds. As a result, for connections created in the same second, the variance will be the same and, therefore, the expiration time too.
- The randomness is created using the C standard's library "rand()" function which is considered not secure.
It is recommended to change the library used to generate the random variance to a secure one and also to make sure that for the time in seconds it does not return the same variance.