tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Duplicate session IDs?
Date Mon, 30 Dec 2002 19:33:40 GMT
Good catch!
I'll apply the patch (if somebody doesn't beat me to it).

----- Original Message -----
From: "Glenn Olander" <glenn@greenoak.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Monday, December 30, 2002 8:05 AM
Subject: Re: Duplicate session IDs?


> fyi, the version he checked in contains a bug. It should append jvmRoute
> within
> the loop. It should look like this:
>
>        String sessionId = generateSessionId();
>        String jvmRoute = getJvmRoute();
>        // @todo Move appending of jvmRoute generateSessionId()???
>        if (jvmRoute != null) {
>            sessionId += '.' + jvmRoute;
>        }
>        synchronized (sessions) {
>            while (sessions.get(sessionId) != null){        // Guarantee
> uniqueness
>                sessionId = generateSessionId();
>                if (jvmRoute != null) {
>                    sessionId += '.' + jvmRoute;
>                }
>            }
>        }
>        session.setId(sessionId);
>
>        return (session);
>
> Remy Maucherat wrote:
>
> >Glenn Olander wrote:
> >
> >
> >     I can also report that I've seen this happen when the system is
> >     under load. We had a
> >     user log in and gain access to another user's session. I'm sure
> >     you can understand that
> >     makes it a very serious bug for security-sensitive applications,
> >     perhaps even deserving
> >     some kind of security alert announcement.
> >
> >     Tim's patch is robust and seems like a good candidate for
> >     inclusion in the source
> >     at the earliest opportunity since it ensures that no duplicate
> >     session id's will be
> >     commisioned (and ManagerBase already uses SecureRandom).
> >
> > Bill enabled the (ugly but very safe) code for getting rid of
> > duplicates. That will be in 4.1.x, at least for now.
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>
>


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message