So, lets say I publish a web service that lets me do two things: log in, and view all my customers.

I first log in, and get back the conversationId in the soap response header. Then, I pass that conversationId in the soap request header in the request to list my customers, so that seam knows who I am, and I am able to request all my customers.

My concern is that the conversationId is fairly easy to guess. Even if I run soap over https, someone who gets conversationId 2 in their login response header can guess that the next conversationId would be 3, and put that in their request header, and perhaps see someone else's customers.

I'm guessing this is not an issue for the jsf interface, because I'm assuming that something checks to see the the conversationId is associated with the web server session of the user. But, that check can't be present in the web service, since there is no web server session passed in via soap. If this is a valid issue, is the fix simply having seam generate non guessable conversationIds?