Re: Uniqueness of a sessionId

Sat, 09 Jan 2010 09:23:14 -0800 

On 08/01/2010 20:46, Christopher Schultz wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Arnab,

On 1/8/2010 8:07 AM, Arnab Ghosh wrote:

I have an doubt.Tomcat is using *org.apache.catalina.session.ManagerBase* to
generate sessionId. Now I wants to know whether this generated key will be
unique in all context running under a tomcat service or it will be unique
under a particular context??


The servlet specification (rev 2.5, section 7.3) states that a session
is to be scoped within a single context. Clearly, session ids should be
unique for a single context (webapp). Tomcat supports SSO
(single-sign-on) which allows multiple webapps to share a session, so in
that case, the session id should be unique across the set of webapps
participating in SSO.

I'm not sure about clusters, but they wouldn't work very well if session
ids generated on one node interfered with session ids created on another
node that need to be shared across the cluster. I believe that a node
attaches its jvmRoute to the session id such that it becomes unique
across the cluster, and is re-written if/when the node is failed-over.
For clusters without session stickiness, where any node may receive a
request for a particular session, the session ids has better be unique.
I don't see any documentation for Tomcat 6 that explicitly states that
session ids are unique for the cluster.

Do you have a specific concern, or are you just interested in an
academic sense?


Am not quite sure we've got to the bottom of the problem either.
I'm reading all of the posts by the same OP and I'm getting the impression that either their app does something unusual with the ID itself (e.g. is passing it as a unique key between apps) or the OP is confused about sessions generally. 


p



- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktHmbEACgkQ9CaO5/Lv0PA12wCgrWerDoJkpesgju5AqB0qDNwf
QCYAnR4mMSFR/XrMZsqejZMIjqA7tgNs
=uwly
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to