Good catch!
I'll apply the patch (if somebody doesn't beat me to it).
----- Original Message -----
From: "Glenn Olander" <[EMAIL PROTECTED]>
To: "Tomcat Developers List" <[EMAIL PROTECTED]>
Sent: Monday, December 30, 2002 8:05 AM
Subject: Re: Duplicate session IDs?
> fyi, the version he checked in contains a bug. It should append jvmRoute
> within
> the loop. It should look like this:
>
> String sessionId = generateSessionId();
> String jvmRoute = getJvmRoute();
> // @todo Move appending of jvmRoute generateSessionId()???
> if (jvmRoute != null) {
> sessionId += '.' + jvmRoute;
> }
> synchronized (sessions) {
> while (sessions.get(sessionId) != null){ // Guarantee
> uniqueness
> sessionId = generateSessionId();
> if (jvmRoute != null) {
> sessionId += '.' + jvmRoute;
> }
> }
> }
> session.setId(sessionId);
>
> return (session);
>
> Remy Maucherat wrote:
>
> >Glenn Olander wrote:
> >
> >
> > I can also report that I've seen this happen when the system is
> > under load. We had a
> > user log in and gain access to another user's session. I'm sure
> > you can understand that
> > makes it a very serious bug for security-sensitive applications,
> > perhaps even deserving
> > some kind of security alert announcement.
> >
> > Tim's patch is robust and seems like a good candidate for
> > inclusion in the source
> > at the earliest opportunity since it ensures that no duplicate
> > session id's will be
> > commisioned (and ManagerBase already uses SecureRandom).
> >
> > Bill enabled the (ugly but very safe) code for getting rid of
> > duplicates. That will be in 4.1.x, at least for now.
>
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
