2 files changed, 12 insertions, 0 deletions

diff --git a/server/src/main/java/com/vaadin/server/VaadinSession.java b/server/src/main/java/com/vaadin/server/VaadinSession.java
index 3e3202ee1b..84808e89da 100644
--- a/server/src/main/java/com/vaadin/server/VaadinSession.java
+++ b/server/src/main/java/com/vaadin/server/VaadinSession.java
@@ -754,6 +754,12 @@ public class VaadinSession implements HttpSessionBindingListener, Serializable {
 
     private int connectorIdSequence = 0;
 
+    /*
+     * Despite section 6 of RFC 4122, this particular use of UUID *is* adequate
+     * for security capabilities. Type 4 UUIDs contain 122 bits of random data,
+     * and UUID.randomUUID() is defined to use a cryptographically secure random
+     * generator.
+     */
     private final String csrfToken = UUID.randomUUID().toString();
 
     /**
diff --git a/server/src/main/java/com/vaadin/ui/ConnectorTracker.java b/server/src/main/java/com/vaadin/ui/ConnectorTracker.java
index 2ba6f5e895..ca901f6a6f 100644
--- a/server/src/main/java/com/vaadin/ui/ConnectorTracker.java
+++ b/server/src/main/java/com/vaadin/ui/ConnectorTracker.java
@@ -785,6 +785,12 @@ public class ConnectorTracker implements Serializable {
         }
         String seckey = streamVariableToSeckey.get(variable);
         if (seckey == null) {
+            /*
+             * Despite section 6 of RFC 4122, this particular use of UUID *is*
+             * adequate for security capabilities. Type 4 UUIDs contain 122 bits
+             * of random data, and UUID.randomUUID() is defined to use a
+             * cryptographically secure random generator.
+             */
             seckey = UUID.randomUUID().toString();
             streamVariableToSeckey.put(variable, seckey);
         }