diff --git a/server/src/main/java/org/red5/net/websocket/WebSocketConnection.java b/server/src/main/java/org/red5/net/websocket/WebSocketConnection.java
index b1fabcb0f..c58e47dd8 100644
--- a/server/src/main/java/org/red5/net/websocket/WebSocketConnection.java
+++ b/server/src/main/java/org/red5/net/websocket/WebSocketConnection.java
@@ -24,7 +24,6 @@
 import java.util.concurrent.atomic.AtomicLongFieldUpdater;
 import java.util.stream.Stream;
 
-import org.apache.commons.lang3.RandomStringUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.tomcat.websocket.Constants;
 import org.apache.tomcat.websocket.WsSession;
@@ -128,9 +127,8 @@ public WebSocketConnection(WebSocketScope scope, Session session) {
         if (isDebug) {
             log.debug("ws session: {}", wsSession);
         }
-        // the websocket session id will be used for hash code comparison, its the only usable value currently
-        //wsSessionId = session.getId();
-        wsSessionId = RandomStringUtils.insecure().nextAlphabetic(11); // random 11 char string
+        // use the websocket session id for comparisons and lookups
+        wsSessionId = session.getId();
         hashCode = wsSessionId.hashCode();
         log.info("ws id: {} hashCode: {}", wsSessionId, hashCode);
         // get extensions
diff --git a/server/src/main/java/org/red5/net/websocket/server/DefaultServerEndpointConfigurator.java b/server/src/main/java/org/red5/net/websocket/server/DefaultServerEndpointConfigurator.java
index c93ac11c0..b25ea163b 100644
--- a/server/src/main/java/org/red5/net/websocket/server/DefaultServerEndpointConfigurator.java
+++ b/server/src/main/java/org/red5/net/websocket/server/DefaultServerEndpointConfigurator.java
@@ -101,6 +101,10 @@ public boolean checkOrigin(String originHeaderValue) {
         log.debug("checkOrigin: {}", originHeaderValue);
         // if CORS is enabled
         if (crossOriginPolicy) {
+            if (originHeaderValue == null) {
+                log.info("Origin header is missing and cross-origin policy is enabled");
+                return false;
+            }
             log.debug("allowedOrigins: {}", Arrays.toString(allowedOrigins));
             // allow "*" == any / all or origin suffix matches
             Optional<String> opt = Stream.of(allowedOrigins).filter(origin -> "*".equals(origin) || origin.endsWith(originHeaderValue)).findFirst();
diff --git a/server/src/main/java/org/red5/net/websocket/server/WsWriteTimeout.java b/server/src/main/java/org/red5/net/websocket/server/WsWriteTimeout.java
index 15d5eea0a..50ce660da 100644
--- a/server/src/main/java/org/red5/net/websocket/server/WsWriteTimeout.java
+++ b/server/src/main/java/org/red5/net/websocket/server/WsWriteTimeout.java
@@ -100,13 +100,11 @@ private static class EndpointComparator implements Comparator<WsRemoteEndpointIm
         public int compare(WsRemoteEndpointImplServer o1, WsRemoteEndpointImplServer o2) {
             long t1 = o1.getTimeoutExpiry();
             long t2 = o2.getTimeoutExpiry();
-            if (t1 < t2) {
-                return -1;
-            } else if (t1 == t2) {
-                return 0;
-            } else {
-                return 1;
+            if (t1 == t2) {
+                // fall back to identity hash to keep ordering stable and unique when timeouts match
+                return Integer.compare(System.identityHashCode(o1), System.identityHashCode(o2));
             }
+            return Long.compare(t1, t2);
         }
 
     }