tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew R Feller" <>
Subject RE: Tomcat JSessionID regex
Date Mon, 07 Apr 2008 12:54:38 GMT

Thanks for the reply!  As far as why I was looking a regex to match the
session ID, it was more to know what was valid or not.  I certainly can
match based on anything that isn't a space where I expect it to be.  I
just wanted to know how large it was so I could allocate enough space to

Thanks once again,

Andrew R Feller, Analyst
University Information Systems
200 Fred Frey Building
Louisiana State University
Baton Rouge, LA, 70803
(225) 578-3737 (Office)
(225) 578-6400 (Fax)

-----Original Message-----
From: Christopher Schultz [] 
Sent: Friday, April 04, 2008 2:09 PM
To: Tomcat Users List
Subject: Re: Tomcat JSessionID regex

Hash: SHA1


Andrew R Feller wrote:
| While working on a trending tool, I decided to capture users' session
| IDs.  However, I don't know A.) How long they are OR B.) What
| are valid for a session ID.  I have not found any documentation
| anything about it, so I was hoping someone here knew.

The servlet specification does not contain any rules for the session id,
other than that it must uniquely identify users. That suggests some
minimum length to cover all reasonable numbers of unique visitors. Other
than that, there are no constraints. There's nothing that says the
session id needs to be a certain length (or even minimum length!), made
up of certain characters, etc.

Tomcat happens to use a random 16-byte session id that is transmitted as
a cookie value by converting it into 32 letters and numbers representing
the nibbles in network byte order. So, if the session id is [0x01, 0x23,
0xab, ...] then the cookie value will look like "0123ab...".

You can't write a regexp that will always work, but you can write one
that will work on Tomcat. May I ask why you need e regular expression
for this value? Why not simply accept all session id values, regardless
of their content?

- -chris

Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla -


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message