tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cmanola...@yahoo.com
Subject RE: Tomcat startup time
Date Wed, 16 Aug 2000 19:40:45 GMT
I'm +1 on this, it's a good solution for 3.2 and have no danger.

I think you can also do a very small change ( just add
get/setSecureSession in ContextManager ) and that will allow you to use
Server.xml. It will also have no impact on the 3.2 stability - just 2 new
methods and a new field in ContextManager.

Costin

On Wed, 16 Aug 2000, Petr Jiricka wrote:

> Hi,
> 
> while 3.52 minutes may seem acceptable for a live server, which is restarted
> once a month, I would say that 5 extra seconds is quite annoying in a
> development environment, where the server is restarted every 5 minutes.
> 
> So I suggest the following simple fix, which will allow a fast startup with
> very small change in the code. It can be turned on simply by adding
> -Dtomcat.sessionid.insecure=true to your startup script.
> The advantage is that this fix is so simple that it can be applied in
> tomcat_32 without risk.
> 
> For 3.3 we can later add a server.xml option which sets the
> tomcat.sessionid.insecure property.
> 
> Any objections ?
> 
> Petr
> 
> 
> Index: SessionIdGenerator.java
> ===================================================================
> RCS file:
> /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator
> .java,v
> retrieving revision 1.3
> diff -u -r1.3 SessionIdGenerator.java
> --- SessionIdGenerator.java     2000/06/17 00:24:45     1.3
> +++ SessionIdGenerator.java     2000/08/16 18:47:27
> @@ -89,7 +89,7 @@
>       */
>      static private int session_count = 0;
>      static private long lastTimeVal = 0;
> -    static private java.util.Random randomSource = new
> java.security.SecureRandom();
> +    static private java.util.Random randomSource;
> 
>      // MAX_RADIX is 36
>      /*
> @@ -118,6 +118,13 @@
>      static synchronized public String getIdentifier (String jsIdent)
>      {
>          StringBuffer sessionId = new StringBuffer();
> +
> +        if (randomSource == null) {
> +            if (Boolean.getBoolean("tomcat.sessionid.insecure"))
> +                randomSource = new java.util.Random();
> +            else
> +                randomSource = new java.security.SecureRandom();
> +        }
> 
>          // random value ..
>          long n = randomSource.nextLong();
> 
> 
> 
> 
> > -----Original Message-----
> > From: yhs@mimic.onesourcecorp.com [mailto:yhs@mimic.onesourcecorp.com]
> > Sent: Tuesday, August 15, 2000 8:42 PM
> > To: tomcat-dev@jakarta.apache.org
> > Subject: Re: Tomcat startup time
> > 
> > 
> > 
> > 
> > On Tue, 15 Aug 2000 cmanolache@yahoo.com wrote:
> > 
> > > > > It can be delayed until the first session is created. 
> > > > > Or it can be done in a separate thread ( and all 
> > session creation will
> > > > > wait for this to complete). 
> > > > > 
> > > > > Of course, server.xml option is great too.
> > > > > 
> > > > > Costin
> > > > > 
> > > > 
> > > > doing it in server.xml as an option is IMHO far more 
> > convenient. i'd
> > > > rather have a simple option RandomGenerator = Normal/Secure or
> > > > something similar. I'd rather have this as default set on 
> > secure since
> > > > i've seen the effects of having sessions cracked (and the 
> > effects of the
> > > > security flaw in tomcat previously which used an insecure 
> > method which had
> > > > an exploit posted).
> > > 
> > > The other 2 options allow to allways use secure, but remove 
> > the annoying
> > > startup delay.
> > > 
> > > Costin 
> > > 
> > 
> > yep..but you risk timing out the browser if its the first 
> > thing to create
> > a session in option 1...starting up some servlets can take a long
> > time..this will just make it longer. Halting session creation 
> > for a thread
> > which may take forever to complete just adds overhead (and may take
> > longer than 5 seconds depending on server load). As for the annoying
> > startup delay - it takes me 3.52 minutes (yup...thats minutes) to
> > startup tomcat 3.1 with load balancing enabled using mod_jserv and
> > Apache+SSL (30 JVMs) without SecureRandom. i probably wont 
> > notice another
> > 5 seconds. :)
> >  Having an option in a configuration file IMHO is always a 
> > good thing. 
> > -Ys-
> > yhs@mimic.onesourcecorp.com
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 


Mime
View raw message