Mark,
On 6/16/26 11:30 AM, Mark Thomas wrote:
On 16/06/2026 15:21, Christopher Schultz wrote:
Mark,
On 6/16/26 7:05 AM, [email protected] wrote:
This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 194cdae65e Code review follow-up - log that configuration
has been ignored
194cdae65e is described below
commit 194cdae65e154a5ae00dc5489ed2856c48fb7e08
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Jun 16 12:05:34 2026 +0100
Code review follow-up - log that configuration has been ignored
<snip/>
LOL I never realized we allow a 2-byte session id.
Should this even be allowed? 2 bytes isn't enough sparseness to
mitigate brute-force session takeover.
No objection to increasing the limit? What did you have in mind?
Good question.
The default is 16 and I suspect everyone leaves it at the default.
Are there any use cases for "research where the session id space needs
to be small?"
If not, then maybe 16 should be the minimum *shrug*.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
