On 07/02/18 23:49, Alex O'Ree wrote: > I was recently perusing security implementation guides and ran across one > that required that sessions id's be "destroyed" after use and not reused. > From my understanding, it looks like the java/tomcat/servlet equivalent is > the jessionid. I'm assuming this is probably a randomly generated id but I > honestly don't know without digging through the code base.
It is a securely generated random ID. > If it is a randomly generated UUID it's a pretty safe assumption that a > duplicate id is very unlikely and that reusing a session id for a different > tomcat user session is also very unlikely. Is this correct? Correct. > The action of destroying the session id server side (again without looking > at the code) is probably just a string that is eventually gc'd. Is that > correct or is it something more sophisticated? Also correct. > Anyhow, I figured I would ask the tomcat community on this one. HTH, Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org