On 17/06/2026 20:56, Christopher Schultz wrote:
Mark,
On 6/16/26 11:30 AM, Mark Thomas wrote:
On 16/06/2026 15:21, Christopher Schultz wrote:
Mark,
On 6/16/26 7:05 AM, [email protected] wrote:
This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 194cdae65e Code review follow-up - log that configuration
has been ignored
194cdae65e is described below
commit 194cdae65e154a5ae00dc5489ed2856c48fb7e08
Author: Mark Thomas <[email protected]>
AuthorDate: Tue Jun 16 12:05:34 2026 +0100
Code review follow-up - log that configuration has been ignored
<snip/>
LOL I never realized we allow a 2-byte session id.
Should this even be allowed? 2 bytes isn't enough sparseness to
mitigate brute-force session takeover.
No objection to increasing the limit? What did you have in mind?
Good question.
The default is 16 and I suspect everyone leaves it at the default.
Are there any use cases for "research where the session id space needs
to be small?"
Testing the impact of collisions?
I can't imagine smaller memory footprint would be a driver for a smaller
ID space. It is such a small proportion of overall memory usage.
If not, then maybe 16 should be the minimum *shrug*.
OWASP says they should be at least 8 to avoid brute force attacks. So
maybe use that as the minimum?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
