RE: is session id unique across webapps ?
Hmm, I just read those two thread and I didn't see a final solution. Is getJvmRoute() unique across tomcat instances running on 5 web servers all serving the same app using a JDBC session manager. I know session id is unique within a webapp but what about over a cluster of webapps that don't use sticky sessions? All that blather about it being a statistical improbability that a session id will be duped is crap. It has to be IMPOSSIBLE across a non-sticky cluster for a dupe session id to be generated. --Angus -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 6:56 AM To: Tomcat Users List Subject: Re: is session id unique across webapps ? Tomcat creates its sessionids from a random number generator. The breadth of random numbers is very wide allowing for virtually no overlaps. But since they are random, dups may appear. Tomcat does have checks to make sure it doesn't give out an existing session id in a particular webapp. That being said, I think it is possible that the same session_id may be used by two different users for two different webapps. So if you really need a unique identifier, append session_id to context path. There was a few discussions in developers list above session id uniqueness. http://marc.theaimsgroup.com/?t=10407214591r=1w=2 http://marc.theaimsgroup.com/?t=10420795603r=1w=2 -Tim siddharth wrote: Hi all, I am tring to find out about *uniqueness* of *session ids* which are generated by tomcat. are session ids are unique across webapps ??? --- thanx. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: is session id unique across webapps ?
I thought it was based on the browser ID + number - therefore always unique. -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 9:28 AM To: Tomcat Users List Subject: RE: is session id unique across webapps ? Hmm, I just read those two thread and I didn't see a final solution. Is getJvmRoute() unique across tomcat instances running on 5 web servers all serving the same app using a JDBC session manager. I know session id is unique within a webapp but what about over a cluster of webapps that don't use sticky sessions? All that blather about it being a statistical improbability that a session id will be duped is crap. It has to be IMPOSSIBLE across a non-sticky cluster for a dupe session id to be generated. --Angus -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 6:56 AM To: Tomcat Users List Subject: Re: is session id unique across webapps ? Tomcat creates its sessionids from a random number generator. The breadth of random numbers is very wide allowing for virtually no overlaps. But since they are random, dups may appear. Tomcat does have checks to make sure it doesn't give out an existing session id in a particular webapp. That being said, I think it is possible that the same session_id may be used by two different users for two different webapps. So if you really need a unique identifier, append session_id to context path. There was a few discussions in developers list above session id uniqueness. http://marc.theaimsgroup.com/?t=10407214591r=1w=2 http://marc.theaimsgroup.com/?t=10420795603r=1w=2 -Tim siddharth wrote: Hi all, I am tring to find out about *uniqueness* of *session ids* which are generated by tomcat. are session ids are unique across webapps ??? --- thanx. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: is session id unique across webapps ?
From ManagerBase.java: I worry that jvmRoute is not unique across servers in a cluster if using JDBC store instead of sticky sessions. public Session createSession() { // Recycle or create a Session instance Session session = createEmptySession(); // Initialize the properties of the new session and return it session.setNew(true); session.setValid(true); session.setCreationTime(System.currentTimeMillis()); session.setMaxInactiveInterval(this.maxInactiveInterval); String sessionId = generateSessionId(); String jvmRoute = getJvmRoute(); // @todo Move appending of jvmRoute generateSessionId()??? if (jvmRoute != null) { sessionId += '.' + jvmRoute; } synchronized (sessions) { while (sessions.get(sessionId) != null){ // Guarantee uniqueness sessionId = generateSessionId(); duplicates++; // @todo Move appending of jvmRoute generateSessionId()??? if (jvmRoute != null) { sessionId += '.' + jvmRoute; } } } session.setId(sessionId); sessionCounter++; return (session); } protected synchronized String generateSessionId() { // Generate a byte array containing a session identifier Random random = getRandom(); byte bytes[] = new byte[SESSION_ID_BYTES]; getRandom().nextBytes(bytes); bytes = getDigest().digest(bytes); // Render the result as a String of hexadecimal digits StringBuffer result = new StringBuffer(); for (int i = 0; i bytes.length; i++) { byte b1 = (byte) ((bytes[i] 0xf0) 4); byte b2 = (byte) (bytes[i] 0x0f); if (b1 10) result.append((char) ('0' + b1)); else result.append((char) ('A' + (b1 - 10))); if (b2 10) result.append((char) ('0' + b2)); else result.append((char) ('A' + (b2 - 10))); } return (result.toString()); } 10 minutes later after reading more code: 1) I love the fact that jakarta doesn't to * imports! YAH! 2) jvmRoute is a non-required field of the engine tag in server.xml. You set it to anything you like so it is your own darn fault if the session id isn't unique across a cluster! YAH! -Original Message- From: Schwartz, David (CHR) [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 9:30 AM To: 'Tomcat Users List' Subject: RE: is session id unique across webapps ? I thought it was based on the browser ID + number - therefore always unique. -Original Message- From: Angus Mezick [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 9:28 AM To: Tomcat Users List Subject: RE: is session id unique across webapps ? Hmm, I just read those two thread and I didn't see a final solution. Is getJvmRoute() unique across tomcat instances running on 5 web servers all serving the same app using a JDBC session manager. I know session id is unique within a webapp but what about over a cluster of webapps that don't use sticky sessions? All that blather about it being a statistical improbability that a session id will be duped is crap. It has to be IMPOSSIBLE across a non-sticky cluster for a dupe session id to be generated. --Angus -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 6:56 AM To: Tomcat Users List Subject: Re: is session id unique across webapps ? Tomcat creates its sessionids from a random number generator. The breadth of random numbers is very wide allowing for virtually no overlaps. But since they are random, dups may appear. Tomcat does have checks to make sure it doesn't give out an existing session id in a particular webapp. That being said, I think it is possible that the same session_id may be used by two different users for two different webapps. So if you really need a unique identifier, append session_id to context path. There was a few discussions in developers list above session id uniqueness. http://marc.theaimsgroup.com/?t=10407214591r=1w=2 http://marc.theaimsgroup.com/?t=10420795603r=1w=2 -Tim siddharth wrote: Hi all, I am tring to find out about *uniqueness* of *session ids* which are generated by tomcat. are session ids are unique across webapps ??? --- thanx. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
Re: is session id unique across webapps ?
Tomcat creates its sessionids from a random number generator. The breadth of random numbers is very wide allowing for virtually no overlaps. But since they are random, dups may appear. Tomcat does have checks to make sure it doesn't give out an existing session id in a particular webapp. That being said, I think it is possible that the same session_id may be used by two different users for two different webapps. So if you really need a unique identifier, append session_id to context path. There was a few discussions in developers list above session id uniqueness. http://marc.theaimsgroup.com/?t=10407214591r=1w=2 http://marc.theaimsgroup.com/?t=10420795603r=1w=2 -Tim siddharth wrote: Hi all, I am tring to find out about *uniqueness* of *session ids* which are generated by tomcat. are session ids are unique across webapps ??? --- thanx. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]