On 07/02/18 23:49, Alex O'Ree wrote:
> I was recently perusing security implementation guides and ran across one
> that required that sessions id's be "destroyed" after use and not reused.
> From my understanding, it looks like the java/tomcat/servlet equivalent is
> the jessionid. I'm assuming this is probably a randomly generated id but I
> honestly don't know without digging through the code base.

It is a securely generated random ID.

> If it is a randomly generated UUID it's a pretty safe assumption that a
> duplicate id is very unlikely and that reusing a session id for a different
> tomcat user session is also very unlikely. Is this correct?

Correct.

> The action of destroying the session id server side (again without looking
> at the code) is probably just a string that is eventually gc'd. Is that
> correct or is it something more sophisticated?

Also correct.

> Anyhow, I figured I would ask the tomcat community on this one.

HTH,

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to