RE: is session id unique across webapps ?
Hmm, I just read those two thread and I didn't see a final solution. Is getJvmRoute() unique across tomcat instances running on 5 web servers all serving the same app using a JDBC session manager. I know session id is unique within a webapp but what about over a cluster of webapps that don't use sticky sessions? All that blather about it being a statistical improbability that a session id will be duped is crap. It has to be IMPOSSIBLE across a non-sticky cluster for a dupe session id to be generated. --Angus -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 6:56 AM To: Tomcat Users List Subject: Re: is session id unique across webapps ? Tomcat creates its sessionids from a random number generator. The breadth of random numbers is very wide allowing for virtually no overlaps. But since they are random, dups may appear. Tomcat does have checks to make sure it doesn't give out an existing session id in a particular webapp. That being said, I think it is possible that the same session_id may be used by two different users for two different webapps. So if you really need a unique identifier, append session_id to context path. There was a few discussions in developers list above session id uniqueness. http://marc.theaimsgroup.com/?t=10407214591r=1w=2 http://marc.theaimsgroup.com/?t=10420795603r=1w=2 -Tim siddharth wrote: Hi all, I am tring to find out about *uniqueness* of *session ids* which are generated by tomcat. are session ids are unique across webapps ??? --- thanx. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: is session id unique across webapps ?
I thought it was based on the browser ID + number - therefore always unique. -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 9:28 AM To: Tomcat Users List Subject: RE: is session id unique across webapps ? Hmm, I just read those two thread and I didn't see a final solution. Is getJvmRoute() unique across tomcat instances running on 5 web servers all serving the same app using a JDBC session manager. I know session id is unique within a webapp but what about over a cluster of webapps that don't use sticky sessions? All that blather about it being a statistical improbability that a session id will be duped is crap. It has to be IMPOSSIBLE across a non-sticky cluster for a dupe session id to be generated. --Angus -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 6:56 AM To: Tomcat Users List Subject: Re: is session id unique across webapps ? Tomcat creates its sessionids from a random number generator. The breadth of random numbers is very wide allowing for virtually no overlaps. But since they are random, dups may appear. Tomcat does have checks to make sure it doesn't give out an existing session id in a particular webapp. That being said, I think it is possible that the same session_id may be used by two different users for two different webapps. So if you really need a unique identifier, append session_id to context path. There was a few discussions in developers list above session id uniqueness. http://marc.theaimsgroup.com/?t=10407214591r=1w=2 http://marc.theaimsgroup.com/?t=10420795603r=1w=2 -Tim siddharth wrote: Hi all, I am tring to find out about *uniqueness* of *session ids* which are generated by tomcat. are session ids are unique across webapps ??? --- thanx. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: is session id unique across webapps ?
From ManagerBase.java: I worry that jvmRoute is not unique across
servers in a cluster if using JDBC store instead of sticky sessions.
public Session createSession() {
// Recycle or create a Session instance
Session session = createEmptySession();
// Initialize the properties of the new session and return it
session.setNew(true);
session.setValid(true);
session.setCreationTime(System.currentTimeMillis());
session.setMaxInactiveInterval(this.maxInactiveInterval);
String sessionId = generateSessionId();
String jvmRoute = getJvmRoute();
// @todo Move appending of jvmRoute generateSessionId()???
if (jvmRoute != null) {
sessionId += '.' + jvmRoute;
}
synchronized (sessions) {
while (sessions.get(sessionId) != null){ // Guarantee
uniqueness
sessionId = generateSessionId();
duplicates++;
// @todo Move appending of jvmRoute
generateSessionId()???
if (jvmRoute != null) {
sessionId += '.' + jvmRoute;
}
}
}
session.setId(sessionId);
sessionCounter++;
return (session);
}
protected synchronized String generateSessionId() {
// Generate a byte array containing a session identifier
Random random = getRandom();
byte bytes[] = new byte[SESSION_ID_BYTES];
getRandom().nextBytes(bytes);
bytes = getDigest().digest(bytes);
// Render the result as a String of hexadecimal digits
StringBuffer result = new StringBuffer();
for (int i = 0; i bytes.length; i++) {
byte b1 = (byte) ((bytes[i] 0xf0) 4);
byte b2 = (byte) (bytes[i] 0x0f);
if (b1 10)
result.append((char) ('0' + b1));
else
result.append((char) ('A' + (b1 - 10)));
if (b2 10)
result.append((char) ('0' + b2));
else
result.append((char) ('A' + (b2 - 10)));
}
return (result.toString());
}
10 minutes later after reading more code:
1) I love the fact that jakarta doesn't to * imports! YAH!
2) jvmRoute is a non-required field of the engine tag in server.xml.
You set it to anything you like so it is your own darn fault if the
session id isn't unique across a cluster! YAH!
-Original Message-
From: Schwartz, David (CHR) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 04, 2003 9:30 AM
To: 'Tomcat Users List'
Subject: RE: is session id unique across webapps ?
I thought it was based on the browser ID + number - therefore
always unique.
-Original Message-
From: Angus Mezick [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 04, 2003 9:28 AM
To: Tomcat Users List
Subject: RE: is session id unique across webapps ?
Hmm, I just read those two thread and I didn't see a final
solution. Is
getJvmRoute() unique across tomcat instances running on 5 web servers
all serving the same app using a JDBC session manager. I know session
id is unique within a webapp but what about over a cluster of webapps
that don't use sticky sessions? All that blather about it being a
statistical improbability that a session id will be duped is crap. It
has to be IMPOSSIBLE across a non-sticky cluster for a dupe session id
to be generated.
--Angus
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Wednesday, June 04, 2003 6:56 AM
To: Tomcat Users List
Subject: Re: is session id unique across webapps ?
Tomcat creates its sessionids from a random number generator.
The breadth of
random numbers is very wide allowing for virtually no
overlaps. But since
they are random, dups may appear. Tomcat does have checks to
make sure it
doesn't give out an existing session id in a particular webapp.
That being said, I think it is possible that the same
session_id may be used
by two different users for two different webapps.
So if you really need a unique identifier, append session_id
to context path.
There was a few discussions in developers list above session
id uniqueness.
http://marc.theaimsgroup.com/?t=10407214591r=1w=2
http://marc.theaimsgroup.com/?t=10420795603r=1w=2
-Tim
siddharth wrote:
Hi all,
I am tring to find out about *uniqueness* of *session ids*
which are
generated by tomcat.
are session ids are unique across webapps ???
---
thanx.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED
Re: is session id unique across webapps ?
Tomcat creates its sessionids from a random number generator. The breadth of random numbers is very wide allowing for virtually no overlaps. But since they are random, dups may appear. Tomcat does have checks to make sure it doesn't give out an existing session id in a particular webapp. That being said, I think it is possible that the same session_id may be used by two different users for two different webapps. So if you really need a unique identifier, append session_id to context path. There was a few discussions in developers list above session id uniqueness. http://marc.theaimsgroup.com/?t=10407214591r=1w=2 http://marc.theaimsgroup.com/?t=10420795603r=1w=2 -Tim siddharth wrote: Hi all, I am tring to find out about *uniqueness* of *session ids* which are generated by tomcat. are session ids are unique across webapps ??? --- thanx. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
