Chad Darby wrote:
> Hi,
>
> Does any know how the HttpServletRequest.getSession() method is
> implemented? Basically what is the general algorithm for assigning
> unique session ids for multiple users?
>
> In the past, I've simply accepted the "black magic" that it works. Now
> I'm curious on "how" it works.
>
> Any info is appreciated. Thanks!
>
The algorithm for generating session IDs is specific to each servlet engine,
so you'd need to look at the source code for one of them. Fortunately, there
are several open source implementations around. I am most familiar with
Apache JServ (http://java.apache.org), which creates a session ID string by
gluing together the following items:
* Hex-digits string for a random number
* Count of the sessions created since the
servlet engine was started
* Session creation time in milliseconds
* (Optional) load balancing server identifier
if you are using load balancing
The concept is to make it pretty difficult to forge a valid session
identifier. It's certainly not impossible -- in high security environments,
you would need to run on SSL or something like that, because the session IDs
themselves are passed back and forth in clear text.
Craig McClanahan
===========================================================================
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff JSP-INTEREST". For general help, send email to
[EMAIL PROTECTED] and include in the body of the message "help".
