Re: Duplicate session IDs?

Tue, 24 Dec 2002 05:53:33 -0800

I agree that there is a tiny chance this could happen. It seems the original uniquenes code had a bug in it because it did not attach the jvmRoute after re-generating the sessionId. Thats why it was probably commented out.

I hope you were joking about the monotonic increase of sessionIds. If that were done - it would be trivial to steal another's sessionId by guessing.

Anyhoo, attached is patch which does the following:
- Moves the appending of jvmRoute into generateSessionId()
- uncomments the duplicate session check
- When debug is turned ON (>=1) it complains a dup sessionId was created when the occurance happens

If there is interest in this - I can throw it into bugzilla so it doesn't get lost.

-Tim


Schnitzer, Jeff wrote:
What prevents Tomcat from issuing duplicate session IDs?  From the code
in ManagerBase, it doesn't look like anything prevents it - the only
unique value in the ID is a random number.  In fact, the code which
would guarantee uniqueness is commented out.

I believe we have seen a problem with duplicate session ids on our
production (high-traffic) site.  It's hard to say exactly because the
problem is very rare, but we have had at least two reports from users
that they log in and see data from other people's accounts.

If Tomcat is generating session ids randomly, this is a _HUGE_ problem.
Why not just include a monotonically increasing integer in the session
string?

Thanks,
Jeff Schnitzer
[EMAIL PROTECTED]
The Sims Online


Index: ManagerBase.java
===================================================================
RCS file: 
/home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/session/ManagerBase.java,v
retrieving revision 1.12
diff -r1.12 ManagerBase.java
138,139c138,139
<     
<     
---
> 
> 
293,294c293,294
<     
<     
---
> 
> 
582,588c582
<         String jvmRoute = getJvmRoute();
<         // @todo Move appending of jvmRoute generateSessionId()???
<         if (jvmRoute != null) {
<             sessionId += '.' + jvmRoute;
<             session.setId(sessionId);
<         }
<         /*
---
> 
590c584
<             while (sessions.get(sessionId) != null)        // Guarantee uniqueness
---
>             while (sessions.get(sessionId) != null){        // Guarantee uniqueness
591a586,588
>                 if (debug >= 1)
>                     log(sm.getString("managerBase.duplicateSessionId"));
>             }
593c590
<         */
---
> 
693a691,696
> 
>         String jvmRoute = getJvmRoute();
>         if (jvmRoute != null) {
>             result.append('.').append(jvmRoute);
>         }
> 
Index: LocalStrings.properties
===================================================================
RCS file: 
/home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/session/LocalStrings.properties,v
retrieving revision 1.11
diff -r1.11 LocalStrings.properties
22a23
> managerBase.duplicateSessionId=Created duplicate sessionId. Regenerating another 
>sessionId now.
63a65
> 


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to