>From ManagerBase.java: I worry that jvmRoute is not unique across
servers in a cluster if using JDBC store instead of sticky sessions.
public Session createSession() {
// Recycle or create a Session instance
Session session = createEmptySession();
// Initialize the properties of the new session and return it
session.setNew(true);
session.setValid(true);
session.setCreationTime(System.currentTimeMillis());
session.setMaxInactiveInterval(this.maxInactiveInterval);
String sessionId = generateSessionId();
String jvmRoute = getJvmRoute();
// @todo Move appending of jvmRoute generateSessionId()???
if (jvmRoute != null) {
sessionId += '.' + jvmRoute;
}
synchronized (sessions) {
while (sessions.get(sessionId) != null){ // Guarantee
uniqueness
sessionId = generateSessionId();
duplicates++;
// @todo Move appending of jvmRoute
generateSessionId()???
if (jvmRoute != null) {
sessionId += '.' + jvmRoute;
}
}
}
session.setId(sessionId);
sessionCounter++;
return (session);
}
protected synchronized String generateSessionId() {
// Generate a byte array containing a session identifier
Random random = getRandom();
byte bytes[] = new byte[SESSION_ID_BYTES];
getRandom().nextBytes(bytes);
bytes = getDigest().digest(bytes);
// Render the result as a String of hexadecimal digits
StringBuffer result = new StringBuffer();
for (int i = 0; i < bytes.length; i++) {
byte b1 = (byte) ((bytes[i] & 0xf0) >> 4);
byte b2 = (byte) (bytes[i] & 0x0f);
if (b1 < 10)
result.append((char) ('0' + b1));
else
result.append((char) ('A' + (b1 - 10)));
if (b2 < 10)
result.append((char) ('0' + b2));
else
result.append((char) ('A' + (b2 - 10)));
}
return (result.toString());
}
10 minutes later after reading more code:
1) I love the fact that jakarta doesn't to * imports! YAH!
2) jvmRoute is a non-required field of the engine tag in server.xml.
You set it to anything you like so it is your own darn fault if the
session id isn't unique across a cluster! YAH!
> -----Original Message-----
> From: Schwartz, David (CHR) [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 04, 2003 9:30 AM
> To: 'Tomcat Users List'
> Subject: RE: is session id unique across webapps ?
>
>
> I thought it was based on the browser ID + number - therefore
> always unique.
>
> -----Original Message-----
> From: Angus Mezick [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, June 04, 2003 9:28 AM
> To: Tomcat Users List
> Subject: RE: is session id unique across webapps ?
>
>
> Hmm, I just read those two thread and I didn't see a final
> solution. Is
> getJvmRoute() unique across tomcat instances running on 5 web servers
> all serving the same app using a JDBC session manager. I know session
> id is unique within a webapp but what about over a cluster of webapps
> that don't use sticky sessions? All that blather about it being a
> statistical improbability that a session id will be duped is crap. It
> has to be IMPOSSIBLE across a non-sticky cluster for a dupe session id
> to be generated.
> --Angus
>
> > -----Original Message-----
> > From: Tim Funk [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, June 04, 2003 6:56 AM
> > To: Tomcat Users List
> > Subject: Re: is session id unique across webapps ?
> >
> >
> > Tomcat creates its sessionids from a random number generator.
> > The breadth of
> > random numbers is very wide allowing for "virtually" no
> > overlaps. But since
> > they are random, dups may appear. Tomcat does have checks to
> > make sure it
> > doesn't give out an existing session id in a particular webapp.
> >
> > That being said, I think it is possible that the same
> > session_id may be used
> > by two different users for two different webapps.
> >
> > So if you really need a unique identifier, append session_id
> > to context path.
> >
> > There was a few discussions in developers list above session
> > id uniqueness.
> >
> http://marc.theaimsgroup.com/?t=104072145900001&r=1&w=2
> http://marc.theaimsgroup.com/?t=104207956000003&r=1&w=2
>
>
> -Tim
>
> siddharth wrote:
> > Hi all,
> >
> > I am tring to find out about *uniqueness* of *session ids*
> which are
> > generated by tomcat.
> >
> > are session ids are unique across webapps ???
> > -----------------------------------------------
> >
> >
> >
> > thanx.
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
