tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig McClanahan <>
Subject Re: session IDs
Date Tue, 15 Aug 2000 16:21:52 GMT
Cristian Southall wrote:

> Hi.
> My organisation is currently moving from an Oracle App Server environment to Tomcat.
It would be nice to leverage Tomcat's convenient session management features but I have to
convince my colleagues that the session IDs Tomcat issues are as 'secure' as those we currently
> I understand that the security of a session ID - given that it does not actually encode
any information (that I know of) - is simply how difficult it would be to anticipate or recreate
the string Tomcat issues but I cannot find any info on how Tomcat arrives at the values offered
as session IDs.

One of the nice things about using open source software is that you can look straight to the
source code for this.  For Tomcat 3.2beta 2, you would look at class org.apache.tomcat.util.SessionIdGenerator.
 For Catalina (in the "jakarta-tomcat-4.0" workspace), the corresponding code is in org.apache.catalina.session.ManagerBase.
 In both cases, the Java SecureRandom class is used to generate all or part of
the session identifier.

You can also choose to modify Tomcat yourself, replacing the session id generation code with
your own -- and/or offer your improved versions back to Tomcat for inclusion.

> I would greatly appreciate it if someone could point me towards some relevant documentation/resources
on this matter.

> Thanks very much,
> Cristian

Craig McClanahan

> HP JDV Ltd, its Directors and Associates declare that they from time to time hold interests
in/and or earn brokerage, fees or other benefits mentioned in documents to clients.
> Any securities recommendation contained in this document is unsolicited general information
only. Do not act on a recommendation without first consulting your investment advisor to determine
whether the recommendation is appropriate for your investment objectives, financial situation
and particular needs.
> HP JDV Ltd believes that any information or advice (including any securities recommendation)
contained in this document is accurate when issued. However, HP JDV Ltd does not warrant its
accuracy or reliability. HP JDV Ltd, its officers, agents and employees exclude all liability
whatsoever, in negligence or otherwise, for any loss or damage relating to this document to
the full extent permitted by law.

View raw message