Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Apache Tomcat »

Re: Sessionid duplication

eric

2007-01-17

Replies:

Thank you for the great explanation.
- Eric

David Delbecq wrote:
> By default, the manager generates 16 hexadecimal characters session
> identifiers. Those are generated by taking the first 16 characters of
> the md5 sum of a random byte[16]. If we assume (that might be a bit
> wrong) that all md5 sums are equiprobables, that means in the end that
> your session id is a 64bits random number.
>
> So that would mean that odds 2 session ids, over 30.000 sessions be same is
> 30.000/2^64 ~= 1.6263E-15
>
>
> However, you can still configure
> 1) the Algorithm to use (if md5 digest does not fits your needs)
> 2) the sessionIdLength you want to have on session id (eg 32 instead of 16)
> 3) as explained add a 'jvmroute' (because inside one manager checks are
> made that a session id is not yet used)
>
> If you extends session id key to length 24 (96 bits sessions
> identifier), you have
>
> 30.000/2^96 ~= 3.7865E-25
>
> full process details:
> http://svn.apache.org/repos/asf/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/session/ManagerBase.java
>
> En l'instant pr?cis du 01/17/07 15:44, Eric Waite s'exprimait dans toute
> sa noblesse:
>  
>> Very very small may be acceptable, what do you mean by very very
>> small...?
>> Would 30,000 unique sessions across 3 servers.... have a potential issue?
>>
>> Thanks.
>>
>> Eric
>>
>> Filip Hanik - Dev Lists wrote:
>>  
>>> while there is a risk for duplicate sessions being generated, we
>>> believe it to be very very small.
>>> What you can do is set jvmRoute in the <Engine> element to be unique
>>> for each one, that makes it less likely to be duplicate.
>>> Or you can come up with a better random algorithm, take a look at
>>> org.apache.catalina.session.StandardManager
>>>
>>> Filip
>>>
>>> Eric Waite wrote:
>>>    
>>>> This has been addresses before I am sure, but I do not know where to
>>>> find the answer.
>>>> I have 3 Tomcat servers sitting behind a load balancer using sticky
>>>> sessions.
>>>>
>>>> I do not have session replication working yet, the tomcats are
>>>> standalone.
>>>>
>>>> How do I prevent and what are the chances that a duplicate session
>>>> id is generated?
>>>>
>>>> Thanks in advance.
>>>>
>>>>      
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@(protected)
>>> To unsubscribe, e-mail: users-unsubscribe@(protected)
>>> For additional commands, e-mail: users-help@(protected)
>>>
>>>
>>>    
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@(protected)
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
>
>  

--
Eric Waite
eric@(protected)
Taylor Associates
Phone: (631) 549-3000
Fax: (631) 549-3156

1-800-732-3758 Ex 317
Http://www.readingplus.com

Need Help, Visit our support website: http://www.readingplus.com/support/
Learn how to use Reading Plus http://www.readingplus.com/help/



---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)

©2008 junlu.com - Jax Systems, LLC, U.S.A.