tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pid <>
Subject Re: Uniqueness of a sessionId
Date Sat, 09 Jan 2010 17:22:38 GMT
On 08/01/2010 20:46, Christopher Schultz wrote:
> Hash: SHA1
> Arnab,
> On 1/8/2010 8:07 AM, Arnab Ghosh wrote:
>> I have an doubt.Tomcat is using *org.apache.catalina.session.ManagerBase* to
>> generate sessionId. Now I wants to know whether this generated key will be
>> unique in all context running under a tomcat service or it will be unique
>> under a particular context??
> The servlet specification (rev 2.5, section 7.3) states that a session
> is to be scoped within a single context. Clearly, session ids should be
> unique for a single context (webapp). Tomcat supports SSO
> (single-sign-on) which allows multiple webapps to share a session, so in
> that case, the session id should be unique across the set of webapps
> participating in SSO.
> I'm not sure about clusters, but they wouldn't work very well if session
> ids generated on one node interfered with session ids created on another
> node that need to be shared across the cluster. I believe that a node
> attaches its jvmRoute to the session id such that it becomes unique
> across the cluster, and is re-written if/when the node is failed-over.
> For clusters without session stickiness, where any node may receive a
> request for a particular session, the session ids has better be unique.
> I don't see any documentation for Tomcat 6 that explicitly states that
> session ids are unique for the cluster.
> Do you have a specific concern, or are you just interested in an
> academic sense?

Am not quite sure we've got to the bottom of the problem either.

I'm reading all of the posts by the same OP and I'm getting the 
impression that either their app does something unusual with the ID 
itself (e.g. is passing it as a unique key between apps) or the OP is 
confused about sessions generally.


> - -chris
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla -
> iEYEARECAAYFAktHmbEACgkQ9CaO5/Lv0PA12wCgrWerDoJkpesgju5AqB0qDNwf
> QCYAnR4mMSFR/XrMZsqejZMIjqA7tgNs
> =uwly
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message