tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Angus Mezick" <amez...@guidestar.org>
Subject RE: is session id unique across webapps ?
Date Wed, 04 Jun 2003 13:55:20 GMT
>From ManagerBase.java:  I worry that jvmRoute is not unique across
servers in a cluster if using JDBC store instead of sticky sessions. 

    public Session createSession() {

        // Recycle or create a Session instance
        Session session = createEmptySession();

        // Initialize the properties of the new session and return it
        session.setNew(true);
        session.setValid(true);
        session.setCreationTime(System.currentTimeMillis());
        session.setMaxInactiveInterval(this.maxInactiveInterval);
        String sessionId = generateSessionId();

        String jvmRoute = getJvmRoute();
        // @todo Move appending of jvmRoute generateSessionId()???
        if (jvmRoute != null) {
            sessionId += '.' + jvmRoute;
        }
        synchronized (sessions) {
            while (sessions.get(sessionId) != null){ // Guarantee
uniqueness
                sessionId = generateSessionId();
                duplicates++;
                // @todo Move appending of jvmRoute
generateSessionId()???
                if (jvmRoute != null) {
                    sessionId += '.' + jvmRoute;
                }
            }
        }

        session.setId(sessionId);
        sessionCounter++;

        return (session);

    }


    protected synchronized String generateSessionId() {

        // Generate a byte array containing a session identifier
        Random random = getRandom();
        byte bytes[] = new byte[SESSION_ID_BYTES];
        getRandom().nextBytes(bytes);
        bytes = getDigest().digest(bytes);

        // Render the result as a String of hexadecimal digits
        StringBuffer result = new StringBuffer();
        for (int i = 0; i < bytes.length; i++) {
            byte b1 = (byte) ((bytes[i] & 0xf0) >> 4);
            byte b2 = (byte) (bytes[i] & 0x0f);
            if (b1 < 10)
                result.append((char) ('0' + b1));
            else
                result.append((char) ('A' + (b1 - 10)));
            if (b2 < 10)
                result.append((char) ('0' + b2));
            else
                result.append((char) ('A' + (b2 - 10)));
        }
        return (result.toString());

    }

10 minutes later after reading more code:
1) I love the fact that jakarta doesn't to * imports! YAH!
2) jvmRoute is a non-required field of the engine tag in server.xml.
You set it to anything you like so it is your own darn fault if the
session id isn't unique across a cluster!  YAH!


> -----Original Message-----
> From: Schwartz, David (CHR) [mailto:David.Schwartz3@pfizer.com] 
> Sent: Wednesday, June 04, 2003 9:30 AM
> To: 'Tomcat Users List'
> Subject: RE: is session id unique across webapps ?
> 
> 
> I thought it was based on the browser ID + number - therefore 
> always unique.
> 
> -----Original Message-----
> From: Angus Mezick [mailto:amezick@guidestar.org]
> Sent: Wednesday, June 04, 2003 9:28 AM
> To: Tomcat Users List
> Subject: RE: is session id unique across webapps ?
> 
> 
> Hmm, I just read those two thread and I didn't see a final 
> solution.  Is
> getJvmRoute() unique across tomcat instances running on 5 web servers
> all serving the same app using a JDBC session manager.  I know session
> id is unique within a webapp but what about over a cluster of webapps
> that don't use sticky sessions?  All that blather about it being a
> statistical improbability that a session id will be duped is crap.  It
> has to be IMPOSSIBLE across a non-sticky cluster for a dupe session id
> to be generated.
> --Angus
> 
> > -----Original Message-----
> > From: Tim Funk [mailto:funkman@joedog.org] 
> > Sent: Wednesday, June 04, 2003 6:56 AM
> > To: Tomcat Users List
> > Subject: Re: is session id unique across webapps ?
> > 
> > 
> > Tomcat creates its sessionids from a random number generator. 
> > The breadth of 
> > random numbers is very wide allowing for "virtually" no 
> > overlaps. But since 
> > they are random, dups may appear. Tomcat does have checks to 
> > make sure it 
> > doesn't give out an existing session id in a particular webapp.
> > 
> > That being said, I think it is possible that the same 
> > session_id may be used 
> > by two different users for two different webapps.
> > 
> > So if you really need a unique identifier, append session_id 
> > to context path.
> > 
> > There was a few discussions in developers list above session 
> > id uniqueness.
> > 
> http://marc.theaimsgroup.com/?t=104072145900001&r=1&w=2
> http://marc.theaimsgroup.com/?t=104207956000003&r=1&w=2
> 
> 
> -Tim
> 
> siddharth wrote:
> > Hi all,
> > 
> > I am tring to find out about *uniqueness* of *session ids*  
> which are 
> > generated by tomcat.
> > 
> > are session ids are unique across webapps ???
> > -----------------------------------------------
> > 
> > 
> > 
> > thanx.
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message