tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yoav Shapira" <yoa...@MIT.EDU>
Subject RE: Unique Session ID's - are they really generated?
Date Mon, 02 May 2005 14:38:42 GMT

> Does anyone know if tomcat really has Unique Session ID creation.  That is
> I
> leave tomcat running for a week. Stop it.  Start it.  Is it possible that
> a
> duplication session ID will be created in my new running instance that
> matches a session ID created in my previous running instance.

It's possible, but exceedingly unlikely.  You can go over the implementation
yourself (the beauty of open-source ;)).  But even if you don't want to do
that, make sure to read  Note
that by configuring some of the Manager parameters discussed on this page,
such as "entropy," every time you restart the server, you can further reduce
duplicate session ID probability.  

Alternatively, if you're really paranoid about this, simply extend the
existing manager with one that keeps track of past session IDs, and does not
issue them ever again ;)

Yoav Shapira
System Design and Management Fellow
MIT Sloan School of Management / School of Engineering
Cambridge, MA USA /

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message