Unique Session ID's - are they really generated?
Hi, On some application servers I have used in the past when you shut them down and restarted the server it was possible that duplicate session ID's were generated matching those in a previously running instance of the server. Does anyone know if tomcat really has Unique Session ID creation. That is I leave tomcat running for a week. Stop it. Start it. Is it possible that a duplication session ID will be created in my new running instance that matches a session ID created in my previous running instance. I just want to know does tomcat really guarantee unique Session ID's even over shutdown and start ups?? Thanks, Steve. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Unique Session ID's - are they really generated?
It sounds like you are talking about IIS, where the session ID was the memory handle to the session object George Sexton MH Software, Inc. http://www.mhsoftware.com/ Voice: 303 438 9585 -Original Message- From: Steven Pannell [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 8:05 AM To: 'tomcat-dev@jakarta.apache.org' Subject: Unique Session ID's - are they really generated? Hi, On some application servers I have used in the past when you shut them down and restarted the server it was possible that duplicate session ID's were generated matching those in a previously running instance of the server. Does anyone know if tomcat really has Unique Session ID creation. That is I leave tomcat running for a week. Stop it. Start it. Is it possible that a duplication session ID will be created in my new running instance that matches a session ID created in my previous running instance. I just want to know does tomcat really guarantee unique Session ID's even over shutdown and start ups?? Thanks, Steve. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Unique Session ID's - are they really generated?
Hi, Does anyone know if tomcat really has Unique Session ID creation. That is I leave tomcat running for a week. Stop it. Start it. Is it possible that a duplication session ID will be created in my new running instance that matches a session ID created in my previous running instance. It's possible, but exceedingly unlikely. You can go over the implementation yourself (the beauty of open-source ;)). But even if you don't want to do that, make sure to read http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/manager.html. Note that by configuring some of the Manager parameters discussed on this page, such as entropy, every time you restart the server, you can further reduce duplicate session ID probability. Alternatively, if you're really paranoid about this, simply extend the existing manager with one that keeps track of past session IDs, and does not issue them ever again ;) Yoav Shapira System Design and Management Fellow MIT Sloan School of Management / School of Engineering Cambridge, MA USA [EMAIL PROTECTED] / [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
