Hi Roby,
1) Two requests very very near can obtain the same lock cookie. In addiction, the lock number value can be "inferred" by client basing on previous calls to lock.
If you generate your cookie from within a synchronized context, there should be no cookie collision. If you use nano seconds, the risk of succesful client attacks with generated cookies should be very small.
3) It seems the best choice, but there is a very far possibility that the Random class can generate two identical cookies.
If you're interested in another way to generate random numbers, have a look at the java.util.UUID class which allows random UUID creation and conversion into long values.
Regards,
Thomas
[ September 27, 2008: Message edited by: Thomas Thevis ]