Mark,
On 6/16/26 7:05 AM, [email protected] wrote:
This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 194cdae65e Code review follow-up - log that configuration has been
ignored
194cdae65e is described below
commit 194cdae65e154a5ae00dc5489ed2856c48fb7e08
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Jun 16 12:05:34 2026 +0100
Code review follow-up - log that configuration has been ignored
---
java/org/apache/catalina/util/SessionIdGeneratorBase.java | 2 ++
1 file changed, 2 insertions(+)
diff --git a/java/org/apache/catalina/util/SessionIdGeneratorBase.java
b/java/org/apache/catalina/util/SessionIdGeneratorBase.java
index cfd7366577..45bf5bb34b 100644
--- a/java/org/apache/catalina/util/SessionIdGeneratorBase.java
+++ b/java/org/apache/catalina/util/SessionIdGeneratorBase.java
@@ -200,6 +200,8 @@ public abstract class SessionIdGeneratorBase extends
LifecycleBase implements Se
@Override
public void setSessionIdLength(int sessionIdLength) {
if (sessionIdLength < 2) {
+ log.warn(sm.getString("sessionIdGeneratorBase.idLengthTooShort",
Integer.toString(sessionIdLength),
+ Integer.toString(this.sessionIdLength)));
return;
LOL I never realized we allow a 2-byte session id.
Should this even be allowed? 2 bytes isn't enough sparseness to mitigate
brute-force session takeover.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
