Add comments clarifying the use of UUID for security tokens

Change-Id: I3f48f9bb42b36d0a46926ec753f30df95491720b

server/src/main/java/com/vaadin/server/VaadinSession.java

@@ -754,6 +754,12 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable {
 
     private int connectorIdSequence = 0;
 
+    /*
+     * Despite section 6 of RFC 4122, this particular use of UUID *is* adequate
+     * for security capabilities. Type 4 UUIDs contain 122 bits of random data,
+     * and UUID.randomUUID() is defined to use a cryptographically secure random
+     * generator.
+     */
     private final String csrfToken = UUID.randomUUID().toString();
 
     /**

server/src/main/java/com/vaadin/ui/ConnectorTracker.java

@@ -785,6 +785,12 @@ public class ConnectorTracker implements Serializable {
         }
         String seckey = streamVariableToSeckey.get(variable);
         if (seckey == null) {
+            /*
+             * Despite section 6 of RFC 4122, this particular use of UUID *is*
+             * adequate for security capabilities. Type 4 UUIDs contain 122 bits
+             * of random data, and UUID.randomUUID() is defined to use a
+             * cryptographically secure random generator.
+             */
             seckey = UUID.randomUUID().toString();
             streamVariableToSeckey.put(variable, seckey);
         }