tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Costin Manolache <cmanola...@yahoo.com>
Subject Re: Duplicate session IDs are *common*
Date Thu, 09 Jan 2003 03:37:28 GMT
Schnitzer, Jeff wrote:

> For whatever reason, be it the seed algorithm or the hashing algorithm
> or something else that degenerates the randomness - the duplicate
> session ID problem is very, very common.
> 
> I discovered this problem because a few of our users suddenly found
> themselves with the sessions from administrative accounts.  Luckily they
> alerted us instead of causing mayhem.  There were at least three
> separate occasions of this in the last week - that we heard about.
> 
> We have also seen this a number of times with other game components -
> users suddenly finding themselves logged in as other people.
> 
> It probably explains the recent post to tomcat-user included below.
> 
> Here at my company this problem caused about as much panic as a wildfire
> breaking out in the machine room (read: LOTS).  I humbly suggest raising
> the level of concern a bit; post a security bulletin, etc.

What version of tomcat ? Are you on Linux ? What randomClass are you using ?
How many sessions are usually generated ?

The default is java.security.SecureRandom - and should give enough 
randomness. There is a change on head ( that would work with 5.0 - but
it can be backported ) that allow you to use /dev/urandom ( or another
source - it can be a pipe or something like that ). 


Costin




--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message