tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@locus.apache.org
Subject cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util SessionIdGenerator.java SessionUtil.java
Date Tue, 12 Dec 2000 01:01:07 GMT
craigmcc    00/12/11 17:01:06

  Modified:    .        Tag: TOMCAT_31_BRANCH build.xml
               src/admin/WEB-INF Tag: TOMCAT_31_BRANCH web.xml
               src/etc  Tag: TOMCAT_31_BRANCH web.xml
               src/examples/WEB-INF Tag: TOMCAT_31_BRANCH web.xml
               src/examples/WEB-INF/classes/examples Tag: TOMCAT_31_BRANCH
                        ShowSource.java
               src/share/org/apache/jasper/runtime Tag: TOMCAT_31_BRANCH
                        JspServlet.java
               src/share/org/apache/tomcat/service/connector Tag:
                        TOMCAT_31_BRANCH Ajp12ConnectionHandler.java
               src/share/org/apache/tomcat/servlets Tag: TOMCAT_31_BRANCH
                        DefaultServlet.java
               src/share/org/apache/tomcat/util Tag: TOMCAT_31_BRANCH
                        SessionIdGenerator.java SessionUtil.java
  Log:
  Fixes for security vulnerabilities in Tomcat 3.1 (final), and proposed
  release notes for a Tomcat 3.1.1 maintenance release that *only* fixes the
  security related problems.
  
  The identified (and fixed) vulnerabilities are:
  - Administrative application enabled by default (removed)
  - Case insensitive matches on static files under Windows
  - Snoop servlet mappings in example application
  - JSP "Show Source" could show WEB-INF files
  - Requesting unknown JSP pages showed disk file pathname
  - Session ID generation algorithm subject to attack (replaced
    with the algorithm from 3.2).
  - Tomcat 3.1 could be shut down remotely.
  
  See separate commits for security issues related to 3.2, and discussion of
  recommended course of action.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.44.4.1  +6 -0      jakarta-tomcat/build.xml
  
  Index: build.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/build.xml,v
  retrieving revision 1.44
  retrieving revision 1.44.4.1
  diff -u -r1.44 -r1.44.4.1
  --- build.xml	2000/04/05 03:16:15	1.44
  +++ build.xml	2000/12/12 01:00:59	1.44.4.1
  @@ -91,11 +91,13 @@
              classpath="${tomcat.build}/classes"/>
   
       <!-- admin context -->
  +<!-- Commented out by default because of limited ability to protect usage
       <mkdir dir="${tomcat.build}/webapps/admin"/>
       <copydir src="src/admin" dest="${tomcat.build}/webapps/admin"/>
       <javac srcdir="src/admin/WEB-INF/classes"
              destdir="${tomcat.build}/webapps/admin/WEB-INF/classes"
              classpath="${tomcat.build}/classes"/>
  +-->
   
       <!-- Test application -->
       <mkdir dir="${tomcat.build}/webapps/test"/>
  @@ -126,6 +128,7 @@
            includes="org/apache/jasper/**"/>
   
       <!-- Add Tomcat internal javadoc -->
  +<!-- Commented out to avoid incompatibilities with current Ant and Java2
       <mkdir dir="${tomcat.home}/webapps/ROOT/javadoc" />
       <javadoc packagenames="org.apache.tomcat.core"
                sourcepath="src/share"
  @@ -137,6 +140,7 @@
                doctitle="Tomcat internal"
                bottom="Copyright &#169; 2000 Apache Software Foundation. All Rights Reserved."
       />
  +-->
   
       <deltree dir="${tomcat.home}/classes"/>
   
  @@ -147,10 +151,12 @@
              includes="**" /> 
       <deltree dir="${tomcat.home}/webapps/examples"/>
   
  +<!--
       <jar   jarfile="${tomcat.home}/webapps/admin.war"
              basedir="${tomcat.home}/webapps/admin"
              includes="**" /> 
       <deltree dir="${tomcat.home}/webapps/admin"/>
  +-->
   
       <jar   jarfile="${tomcat.home}/webapps/ROOT.war"
              basedir="${tomcat.home}/webapps/ROOT"
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.1.6.1   +15 -0     jakarta-tomcat/src/admin/WEB-INF/web.xml
  
  Index: web.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/admin/WEB-INF/web.xml,v
  retrieving revision 1.1
  retrieving revision 1.1.6.1
  diff -u -r1.1 -r1.1.6.1
  --- web.xml	2000/02/18 18:33:03	1.1
  +++ web.xml	2000/12/12 01:01:00	1.1.6.1
  @@ -5,4 +5,19 @@
       "http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
   
   <web-app>
  +
  +    <security-constraint>
  +      <web-resource-collection>
  +        <url-pattern>/*</url-pattern>
  +      </web-resource-collection>
  +      <auth-constraint>
  +        <role-name>admin</role-name>
  +      </auth-constraint>
  +    </security-constraint>
  +
  +    <login-config>
  +      <auth-method>BASIC</auth-method>
  +      <realm-name>Tomcat Administrative Application</realm-name>
  +    </login-config>
  +
   </web-app>
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.1.6.1   +12 -0     jakarta-tomcat/src/etc/web.xml
  
  Index: web.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/etc/web.xml,v
  retrieving revision 1.1
  retrieving revision 1.1.6.1
  diff -u -r1.1 -r1.1.6.1
  --- web.xml	2000/02/09 23:26:28	1.1
  +++ web.xml	2000/12/12 01:01:01	1.1.6.1
  @@ -12,6 +12,18 @@
           <servlet-class>
               org.apache.tomcat.servlets.DefaultServlet
           </servlet-class>
  +        <init-param>
  +            <param-name>
  +                caseSensitive
  +            </param-name>
  +            <param-value>
  +                true
  +            </param-value>
  +            <description>
  +                Set to true for case-sensitive filename comparisons,
  +                even on non-case-sensitive platforms such as Windows.
  +            </description>
  +        </init-param>
   	<load-on-startup>
               -2147483646
   	</load-on-startup>
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.9.4.1   +2 -0      jakarta-tomcat/src/examples/WEB-INF/web.xml
  
  Index: web.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/examples/WEB-INF/web.xml,v
  retrieving revision 1.9
  retrieving revision 1.9.4.1
  diff -u -r1.9 -r1.9.4.1
  --- web.xml	2000/04/07 22:59:00	1.9
  +++ web.xml	2000/12/12 01:01:02	1.9.4.1
  @@ -27,6 +27,7 @@
             servletToJsp
         </servlet-class>
       </servlet>
  +<!--
       <servlet-mapping>
           <servlet-name>
               snoop
  @@ -43,6 +44,7 @@
               *.snp
           </url-pattern>
       </servlet-mapping>
  +-->
       <servlet-mapping>
           <servlet-name>
               servletToJsp
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.4.6.1   +3 -1      jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java
  
  Index: ShowSource.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/examples/WEB-INF/classes/examples/ShowSource.java,v
  retrieving revision 1.4
  retrieving revision 1.4.6.1
  diff -u -r1.4 -r1.4.6.1
  --- ShowSource.java	2000/03/07 19:53:39	1.4
  +++ ShowSource.java	2000/12/12 01:01:03	1.4.6.1
  @@ -20,7 +20,9 @@
       }
   
       public int doEndTag() throws JspException {
  -	if (jspFile.indexOf( ".." ) >= 0)
  +	if ((jspFile.indexOf( ".." ) >= 0) ||
  +            (jspFile.toUpperCase().indexOf("/WEB-INF/") != 0) ||
  +            (jspFile.toUpperCase().indexOf("/META-INF/") != 0))
   	    throw new JspTagException("Invalid JSP file " + jspFile);
   
           InputStream in
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.21.4.1  +1 -1      jakarta-tomcat/src/share/org/apache/jasper/runtime/Attic/JspServlet.java
  
  Index: JspServlet.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/jasper/runtime/Attic/JspServlet.java,v
  retrieving revision 1.21
  retrieving revision 1.21.4.1
  diff -u -r1.21 -r1.21.4.1
  --- JspServlet.java	2000/04/05 03:36:42	1.21
  +++ JspServlet.java	2000/12/12 01:01:03	1.21.4.1
  @@ -178,7 +178,7 @@
                   response.sendError(HttpServletResponse.SC_NOT_FOUND, 
                                      Constants.getString("jsp.error.file.not.found", 
                                                          new Object[] {
  -                                                           ex.getMessage()
  +                                                           jspUri
                                                          }));
                   
                   return;
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.21.4.1  +39 -1     jakarta-tomcat/src/share/org/apache/tomcat/service/connector/Attic/Ajp12ConnectionHandler.java
  
  Index: Ajp12ConnectionHandler.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/service/connector/Attic/Ajp12ConnectionHandler.java,v
  retrieving revision 1.21
  retrieving revision 1.21.4.1
  diff -u -r1.21 -r1.21.4.1
  --- Ajp12ConnectionHandler.java	2000/04/06 23:11:36	1.21
  +++ Ajp12ConnectionHandler.java	2000/12/12 01:01:04	1.21.4.1
  @@ -354,8 +354,11 @@
   		    } else {
   			try {
   			    // close the socket connection before handling any signal
  +                            InetAddress serverAddr = socket.getLocalAddress();
  +                            InetAddress clientAddr = socket.getInetAddress();
   			    sin.close();
  -			    if ( signal== 15 ) {
  +			    if ( (signal== 15) &&
  +                                  isSameAddress(serverAddr, clientAddr) ) {
   				// Shutdown - probably apache was stoped with apachectl stop
   				contextM.stop();
   				// same behavior as in past, because it seems that
  @@ -424,6 +427,41 @@
   	// XXX
   	// Support persistent connection in AJP21
   	//moreRequests = false;
  +    }
  +
  +    /**
  +     * Return <code>true</code> if the specified client and server addresses
  +     * are the same.  This method works around a bug in the IBM 1.1.8 JVM on
  +     * Linux, where the address bytes are returned reversed in some
  +     * circumstances.
  +     *
  +     * @param server The server's InetAddress
  +     * @param client The client's InetAddress
  +     */
  +    private boolean isSameAddress(InetAddress server, InetAddress client) {
  +
  +	// Compare the byte array versions of the two addresses
  +	byte serverAddr[] = server.getAddress();
  +	byte clientAddr[] = client.getAddress();
  +	if (serverAddr.length != clientAddr.length)
  +	    return (false);
  +	boolean match = true;
  +	for (int i = 0; i < serverAddr.length; i++) {
  +	    if (serverAddr[i] != clientAddr[i]) {
  +		match = false;
  +		break;
  +	    }
  +	}
  +	if (match)
  +	    return (true);
  +
  +	// Compare the reversed form of the two addresses
  +	for (int i = 0; i < serverAddr.length; i++) {
  +	    if (serverAddr[i] != clientAddr[(serverAddr.length-1)-i])
  +		return (false);
  +	}
  +	return (true);
  +
       }
   
   }
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.13.2.1.2.1 +21 -3     jakarta-tomcat/src/share/org/apache/tomcat/servlets/Attic/DefaultServlet.java
  
  Index: DefaultServlet.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/servlets/Attic/DefaultServlet.java,v
  retrieving revision 1.13.2.1
  retrieving revision 1.13.2.1.2.1
  diff -u -r1.13.2.1 -r1.13.2.1.2.1
  --- DefaultServlet.java	2000/04/13 12:46:37	1.13.2.1
  +++ DefaultServlet.java	2000/12/12 01:01:05	1.13.2.1.2.1
  @@ -82,6 +82,7 @@
       private Context context;
       String docBase;
       int debug=0;
  +    boolean caseSensitive = true;
   
       public void init() throws ServletException {
   	contextF = getServletContext();
  @@ -100,6 +101,18 @@
   	// debug
   	String dbg=getServletConfig().getInitParameter("debug");
   	if( dbg!=null) debug=1;
  +
  +        // case sensitivity on Windows
  +        String value = getServletConfig().getInitParameter("caseSensitive");
  +        if (value != null) {
  +            if ("true".equalsIgnoreCase(value) ||
  +                "yes".equalsIgnoreCase(value) ||
  +                "on".equalsIgnoreCase(value))
  +                caseSensitive = true;
  +            else
  +                caseSensitive = false;
  +        }
  +
       }
   
       public String getServletInfo() {
  @@ -273,11 +286,16 @@
   	// So, a check for File.separatorChar='\\' ..... It hopefully
   	// happens on flavors of Windows.
   	if (File.separatorChar  == '\\') {
  -		// On Windows check ignore case....
  -		if(!absPath.equalsIgnoreCase(canPath)) {
  +            // On Windows check case if requested ....
  +            boolean result;
  +            if (caseSensitive)
  +                result = !absPath.equals(canPath);
  +            else
  +                result = !absPath.equalsIgnoreCase(canPath);
  +            if (result) {
   	    	response.sendError(response.SC_NOT_FOUND);
   	    	return;
  -		}
  +            }
   	} else {
   		// The following code on Non Windows disallows ../
   		// in the path but also disallows symlinks....
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.1.1.1.8.1 +113 -41   jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator.java
  
  Index: SessionIdGenerator.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator.java,v
  retrieving revision 1.1.1.1
  retrieving revision 1.1.1.1.8.1
  diff -u -r1.1.1.1 -r1.1.1.1.8.1
  --- SessionIdGenerator.java	1999/10/09 00:20:56	1.1.1.1
  +++ SessionIdGenerator.java	2000/12/12 01:01:05	1.1.1.1.8.1
  @@ -1,13 +1,13 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator.java,v
1.1.1.1 1999/10/09 00:20:56 duncan Exp $
  - * $Revision: 1.1.1.1 $
  - * $Date: 1999/10/09 00:20:56 $
  + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/SessionIdGenerator.java,v
1.1.1.1.8.1 2000/12/12 01:01:05 craigmcc Exp $
  + * $Revision: 1.1.1.1.8.1 $
  + * $Date: 2000/12/12 01:01:05 $
    *
    * ====================================================================
    *
    * The Apache Software License, Version 1.1
    *
  - * Copyright (c) 1999 The Apache Software Foundation.  All rights 
  + * Copyright (c) 1999 The Apache Software Foundation.  All rights
    * reserved.
    *
    * Redistribution and use in source and binary forms, with or without
  @@ -15,7 +15,7 @@
    * are met:
    *
    * 1. Redistributions of source code must retain the above copyright
  - *    notice, this list of conditions and the following disclaimer. 
  + *    notice, this list of conditions and the following disclaimer.
    *
    * 2. Redistributions in binary form must reproduce the above copyright
    *    notice, this list of conditions and the following disclaimer in
  @@ -23,15 +23,15 @@
    *    distribution.
    *
    * 3. The end-user documentation included with the redistribution, if
  - *    any, must include the following acknowlegement:  
  - *       "This product includes software developed by the 
  + *    any, must include the following acknowlegement:
  + *       "This product includes software developed by the
    *        Apache Software Foundation (http://www.apache.org/)."
    *    Alternately, this acknowlegement may appear in the software itself,
    *    if and wherever such third-party acknowlegements normally appear.
    *
    * 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
    *    Foundation" must not be used to endorse or promote products derived
  - *    from this software without prior written permission. For written 
  + *    from this software without prior written permission. For written
    *    permission, please contact apache@apache.org.
    *
    * 5. Products derived from this software may not be called "Apache"
  @@ -59,50 +59,122 @@
    *
    * [Additional notices, if required by prior licensing conditions]
    *
  - */ 
  + */
   
   
   package org.apache.tomcat.util;
   
   /**
  - * Generates sesssion ids for the system. The ids produced by this
  - * class aren't very sophisticated being just a random number followed
  - * by a synchronized counter.
  + * This class generates a unique 10+ character id. This is good
  + * for authenticating users or tracking users around.
  + * <p>
  + * This code was borrowed from Apache JServ.JServServletManager.java.
  + * It is what Apache JServ uses to generate session ids for users.
  + * Unfortunately, it was not included in Apache JServ as a class
  + * so I had to create one here in order to use it.
    *
    * @author James Duncan Davidson [duncan@eng.sun.com]
    * @author Jason Hunter [jhunter@acm.org]
  + * @author Jon S. Stevens <a href="mailto:jon@latchkey.com">jon@latchkey.com</a>
  + * @author Shai Fultheim [shai@brm.com]
    */
  -
   public class SessionIdGenerator {
   
  -    private static int counter = 1010;
  -    
  -    public static synchronized String generateId() {
  -
  -	// XXX
  -	// This code is not very secure at all. It's good enough
  -	// for a reference implementation where you want to make
  -	// sure to not repeat under most circumstances -- but its
  -	// not anything that could be considered to be safe for
  -	// military or banking use.
  -
  -	// maybe.....
  -	// replace with some sort of MD5 hash so that it is impossible
  -	// to figure out which is the counter and which is the random
  -	
  -        Integer i = new Integer(counter++);
  -        StringBuffer buf = new StringBuffer();
  -        String dString = Double.toString(Math.abs(Math.random()));
  -
  -        // we do the substring to get rid of the initial '0.'
  -        // characters.
  -
  -        buf.append("To");
  -        buf.append(i);
  -        buf.append("mC");
  -        buf.append(dString.substring(2, dString.length()));
  -        buf.append("At");
  +    /*
  +     * Create a suitable string for session identification
  +     * Use synchronized count and time to ensure uniqueness.
  +     * Use random string to ensure timestamp cannot be guessed
  +     * by programmed attack.
  +     *
  +     * format of id is <6 chars random><3 chars time><1+ char count>
  +     */
  +    static private int session_count = 0;
  +    static private long lastTimeVal = 0;
  +    static private java.util.Random randomSource;
  +
  +    // MAX_RADIX is 36
  +    /*
  +     * we want to have a random string with a length of
  +     * 6 characters. Since we encode it BASE 36, we've to
  +     * modulo it with the following value:
  +     */
  +    public final static long maxRandomLen = 2176782336L; // 36 ** 6
  +
  +    /*
  +     * The session identifier must be unique within the typical lifespan
  +     * of a Session, the value can roll over after that. 3 characters:
  +     * (this means a roll over after over an day which is much larger
  +     *  than a typical lifespan)
  +     */
  +    public final static long maxSessionLifespanTics = 46656; // 36 ** 3
  +
  +    /*
  +     *  millisecons between different tics. So this means that the
  +     *  3-character time string has a new value every 2 seconds:
  +     */
  +    public final static long ticDifference = 2000;
  +
  +    // ** NOTE that this must work together with get_jserv_session_balance()
  +    // ** in jserv_balance.c
  +    static synchronized public String getIdentifier (String jsIdent)
  +    {
  +        StringBuffer sessionId = new StringBuffer();
  +        
  +        if (randomSource == null) {
  +            String className = System.getProperty("tomcat.sessionid.randomclass");
  +            if (className != null) {
  +                try {
  +                    Class randomClass = Class.forName(className);
  +                    randomSource = (java.util.Random)randomClass.newInstance();
  +                }
  +                catch (Exception e) {
  +                    e.printStackTrace();
  +                }
  +            }
  +            if (randomSource == null)
  +                randomSource = new java.security.SecureRandom();
  +        }
  +
  +        // random value ..
  +        long n = randomSource.nextLong();
  +        if (n < 0) n = -n;
  +        n %= maxRandomLen;
  +        // add maxLen to pad the leading characters with '0'; remove
  +        // first digit with substring.
  +        n += maxRandomLen;
  +        sessionId.append (Long.toString(n, Character.MAX_RADIX)
  +                  .substring(1));
  +
  +        long timeVal = (System.currentTimeMillis() / ticDifference);
  +        // cut..
  +        timeVal %= maxSessionLifespanTics;
  +        // padding, see above
  +        timeVal += maxSessionLifespanTics;
  +
  +        sessionId.append (Long.toString (timeVal, Character.MAX_RADIX)
  +                  .substring(1));
  +
  +        /*
  +         * make the string unique: append the session count since last
  +         * time flip.
  +         */
  +        // count sessions only within tics. So the 'real' session count
  +        // isn't exposed to the public ..
  +        if (lastTimeVal != timeVal) {
  +          lastTimeVal = timeVal;
  +          session_count = 0;
  +        }
  +        sessionId.append (Long.toString (++session_count,
  +                     Character.MAX_RADIX));
  +
  +        if (jsIdent != null && jsIdent.length() > 0) {
  +            return sessionId.toString()+"."+jsIdent;
  +        }
  +        return sessionId.toString();
  +    }
   
  -        return buf.toString();
  +    public static synchronized String generateId(String jsIdent) {
  +        return getIdentifier(jsIdent);
       }
  +
   }
  
  
  
  1.3.4.1   +5 -24     jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/SessionUtil.java
  
  Index: SessionUtil.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/SessionUtil.java,v
  retrieving revision 1.3
  retrieving revision 1.3.4.1
  diff -u -r1.3 -r1.3.4.1
  --- SessionUtil.java	2000/02/14 04:59:43	1.3
  +++ SessionUtil.java	2000/12/12 01:01:06	1.3.4.1
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/SessionUtil.java,v
1.3 2000/02/14 04:59:43 costin Exp $
  - * $Revision: 1.3 $
  - * $Date: 2000/02/14 04:59:43 $
  + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/SessionUtil.java,v
1.3.4.1 2000/12/12 01:01:06 craigmcc Exp $
  + * $Revision: 1.3.4.1 $
  + * $Date: 2000/12/12 01:01:06 $
    *
    * ====================================================================
    *
  @@ -75,21 +75,12 @@
    * <code>Session</code> implementations.
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.3 $ $Date: 2000/02/14 04:59:43 $
  + * @version $Revision: 1.3.4.1 $ $Date: 2000/12/12 01:01:06 $
    */
   
   public final class SessionUtil {
   
   
  -    // ------------------------------------------------------- Static Variables
  -
  -
  -    /**
  -     * Private counter used in generating session identifiers.
  -     */
  -    private static int counter = 1010;
  -
  -
       // --------------------------------------------------------- Public Methods
   
   
  @@ -182,18 +173,8 @@
        * is not at all sophisticated or secure.
        */
       public static String generateSessionId() {
  -
  -	Integer i = new Integer(counter++);
  -	StringBuffer buf = new StringBuffer();
  -	String dString = Double.toString(Math.abs(Math.random()));
  -
  -	buf.append("To");
  -	buf.append(i);
  -	buf.append("mC");
  -	buf.append(dString.substring(2));	// Skip "0." at the start
  -	buf.append("At");
   
  -	return (buf.toString());
  +        return (SessionIdGenerator.generateId(null));
   
       }
   
  
  
  

Mime
View raw message