tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Petr Jiricka <petr.jiri...@netbeans.com>
Subject RE: Tomcat startup time
Date Wed, 16 Aug 2000 19:09:06 GMT
Hi,

while 3.52 minutes may seem acceptable for a live server, which is restarted
once a month, I would say that 5 extra seconds is quite annoying in a
development environment, where the server is restarted every 5 minutes.

So I suggest the following simple fix, which will allow a fast startup with
very small change in the code. It can be turned on simply by adding
-Dtomcat.sessionid.insecure=true to your startup script.
The advantage is that this fix is so simple that it can be applied in
tomcat_32 without risk.

For 3.3 we can later add a server.xml option which sets the
tomcat.sessionid.insecure property.

Any objections ?

Petr


Index: SessionIdGenerator.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator
.java,v
retrieving revision 1.3
diff -u -r1.3 SessionIdGenerator.java
--- SessionIdGenerator.java     2000/06/17 00:24:45     1.3
+++ SessionIdGenerator.java     2000/08/16 18:47:27
@@ -89,7 +89,7 @@
      */
     static private int session_count = 0;
     static private long lastTimeVal = 0;
-    static private java.util.Random randomSource = new
java.security.SecureRandom();
+    static private java.util.Random randomSource;

     // MAX_RADIX is 36
     /*
@@ -118,6 +118,13 @@
     static synchronized public String getIdentifier (String jsIdent)
     {
         StringBuffer sessionId = new StringBuffer();
+
+        if (randomSource == null) {
+            if (Boolean.getBoolean("tomcat.sessionid.insecure"))
+                randomSource = new java.util.Random();
+            else
+                randomSource = new java.security.SecureRandom();
+        }

         // random value ..
         long n = randomSource.nextLong();




> -----Original Message-----
> From: yhs@mimic.onesourcecorp.com [mailto:yhs@mimic.onesourcecorp.com]
> Sent: Tuesday, August 15, 2000 8:42 PM
> To: tomcat-dev@jakarta.apache.org
> Subject: Re: Tomcat startup time
> 
> 
> 
> 
> On Tue, 15 Aug 2000 cmanolache@yahoo.com wrote:
> 
> > > > It can be delayed until the first session is created. 
> > > > Or it can be done in a separate thread ( and all 
> session creation will
> > > > wait for this to complete). 
> > > > 
> > > > Of course, server.xml option is great too.
> > > > 
> > > > Costin
> > > > 
> > > 
> > > doing it in server.xml as an option is IMHO far more 
> convenient. i'd
> > > rather have a simple option RandomGenerator = Normal/Secure or
> > > something similar. I'd rather have this as default set on 
> secure since
> > > i've seen the effects of having sessions cracked (and the 
> effects of the
> > > security flaw in tomcat previously which used an insecure 
> method which had
> > > an exploit posted).
> > 
> > The other 2 options allow to allways use secure, but remove 
> the annoying
> > startup delay.
> > 
> > Costin 
> > 
> 
> yep..but you risk timing out the browser if its the first 
> thing to create
> a session in option 1...starting up some servlets can take a long
> time..this will just make it longer. Halting session creation 
> for a thread
> which may take forever to complete just adds overhead (and may take
> longer than 5 seconds depending on server load). As for the annoying
> startup delay - it takes me 3.52 minutes (yup...thats minutes) to
> startup tomcat 3.1 with load balancing enabled using mod_jserv and
> Apache+SSL (30 JVMs) without SecureRandom. i probably wont 
> notice another
> 5 seconds. :)
>  Having an option in a configuration file IMHO is always a 
> good thing. 
> -Ys-
> yhs@mimic.onesourcecorp.com
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 

Mime
View raw message