I wasn't suggesting making the whole session id a monotonically increasing integer, but to include such a value in the id along with the random part.
Thanks for the patch - I'll apply it to my cluster. Please see it into the official distribution! You can imagine the trouble that could be caused if someone was using Tomcat for a banking application... Jeff Schnitzer [EMAIL PROTECTED] The Sims Online ------------------------------------------------------------------------ --- From: Tim Funk Subject: Re: Duplicate session IDs? Date: Tue, 24 Dec 2002 05:53:33 -0800 ------------------------------------------------------------------------ --- I agree that there is a tiny chance this could happen. It seems the original uniquenes code had a bug in it because it did not attach the jvmRoute after re-generating the sessionId. Thats why it was probably commented out. I hope you were joking about the monotonic increase of sessionIds. If that were done - it would be trivial to steal another's sessionId by guessing. Anyhoo, attached is patch which does the following: - Moves the appending of jvmRoute into generateSessionId() - uncomments the duplicate session check - When debug is turned ON (>=1) it complains a dup sessionId was created when the occurance happens If there is interest in this - I can throw it into bugzilla so it doesn't get lost. -Tim Schnitzer, Jeff wrote: What prevents Tomcat from issuing duplicate session IDs? From the code in ManagerBase, it doesn't look like anything prevents it - the only unique value in the ID is a random number. In fact, the code which would guarantee uniqueness is commented out. I believe we have seen a problem with duplicate session ids on our production (high-traffic) site. It's hard to say exactly because the problem is very rare, but we have had at least two reports from users that they log in and see data from other people's accounts. If Tomcat is generating session ids randomly, this is a _HUGE_ problem. Why not just include a monotonically increasing integer in the session string? Thanks, Jeff Schnitzer [EMAIL PROTECTED] The Sims Online -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
