Is there any interest in making the session id length configurable? If so, please consider my patch (attached).
Thanks,
Jan
Index: Manager.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/Manager.java,v retrieving revision 1.6 diff -u -r1.6 Manager.java --- Manager.java 13 Jan 2004 01:39:36 -0000 1.6 +++ Manager.java 7 Feb 2004 02:19:31 -0000 @@ -164,6 +164,24 @@ public void setMaxInactiveInterval(int interval); + /** + * Gets the session id length (in bytes) of Sessions created by + * this Manager. + * + * @return The session id length + */ + public int getSessionIdLength(); + + + /** + * Sets the session id length (in bytes) for Sessions created by this + * Manager. + * + * @param sessionIdLength The session id length + */ + public void setSessionIdLength(int idLength); + + // --------------------------------------------------------- Public Methods Index: session/ManagerBase.java =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/ManagerBase.java,v retrieving revision 1.24 diff -u -r1.24 ManagerBase.java --- session/ManagerBase.java 26 Jan 2004 20:19:11 -0000 1.24 +++ session/ManagerBase.java 7 Feb 2004 02:19:31 -0000 @@ -119,13 +119,6 @@ /** - * The number of random bytes to include when generating a - * session identifier. - */ - protected static final int SESSION_ID_BYTES = 16; - - - /** * The message digest algorithm to be used when generating session * identifiers. This must be an algorithm supported by the * <code>java.security.MessageDigest</code> class on your platform. @@ -187,6 +180,12 @@ /** + * The session id length of Sessions created by this Manager. + */ + protected int sessionIdLength = 16; + + + /** * The descriptive name of this Manager implementation (for logging). */ protected static String name = "ManagerBase"; @@ -488,6 +487,36 @@ /** + * Gets the session id length (in bytes) of Sessions created by + * this Manager. + * + * @return The session id length + */ + public int getSessionIdLength() { + + return (this.sessionIdLength); + + } + + + /** + * Sets the session id length (in bytes) for Sessions created by this + * Manager. + * + * @param sessionIdLength The session id length + */ + public void setSessionIdLength(int idLength) { + + int oldSessionIdLength = this.sessionIdLength; + this.sessionIdLength = idLength; + support.firePropertyChange("sessionIdLength", + new Integer(oldSessionIdLength), + new Integer(this.sessionIdLength)); + + } + + + /** * Return the descriptive short name of this Manager implementation. */ public String getName() { @@ -496,8 +525,9 @@ } - /** Use /dev/random-type special device. This is new code, but may reduce the - * big delay in generating the random. + /** + * Use /dev/random-type special device. This is new code, but may reduce + * the big delay in generating the random. * * You must specify a path to a random generator file. Use /dev/urandom * for linux ( or similar ) systems. Use /dev/random for maximum security @@ -828,23 +858,30 @@ * Generate and return a new session identifier. */ protected synchronized String generateSessionId() { - byte bytes[] = new byte[SESSION_ID_BYTES]; - getRandomBytes( bytes ); - bytes = getDigest().digest(bytes); + + byte random[] = new byte[16]; // Render the result as a String of hexadecimal digits StringBuffer result = new StringBuffer(); - for (int i = 0; i < bytes.length; i++) { - byte b1 = (byte) ((bytes[i] & 0xf0) >> 4); - byte b2 = (byte) (bytes[i] & 0x0f); - if (b1 < 10) - result.append((char) ('0' + b1)); - else - result.append((char) ('A' + (b1 - 10))); - if (b2 < 10) - result.append((char) ('0' + b2)); - else - result.append((char) ('A' + (b2 - 10))); + int resultLenBytes = 0; + while (resultLenBytes < this.sessionIdLength) { + getRandomBytes(random); + random = getDigest().digest(random); + for (int j = 0; + j < random.length && resultLenBytes < this.sessionIdLength; + j++) { + byte b1 = (byte) ((random[j] & 0xf0) >> 4); + byte b2 = (byte) (random[j] & 0x0f); + if (b1 < 10) + result.append((char) ('0' + b1)); + else + result.append((char) ('A' + (b1 - 10))); + if (b2 < 10) + result.append((char) ('0' + b2)); + else + result.append((char) ('A' + (b2 - 10))); + resultLenBytes++; + } } return (result.toString()); Index: session/mbeans-descriptors.xml =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/mbeans-descriptors.xml,v retrieving revision 1.3 diff -u -r1.3 mbeans-descriptors.xml --- session/mbeans-descriptors.xml 10 Dec 2003 23:00:36 -0000 1.3 +++ session/mbeans-descriptors.xml 7 Feb 2004 02:19:31 -0000 @@ -52,6 +52,11 @@ created by this Manager" type="int"/> + <attribute name="sessionIdLength" + description="The session id length (in bytes) of Sessions + created by this Manager" + type="int"/> + <attribute name="name" description="The descriptive name of this Manager implementation (for logging)" @@ -175,6 +180,11 @@ <attribute name="maxInactiveInterval" description="The default maximum inactive interval for Sessions + created by this Manager" + type="int"/> + + <attribute name="sessionIdLength" + description="The session id length (in bytes) of Sessions created by this Manager" type="int"/>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]