jQuery in Action, 3rd edition
The moose likes Tomcat and the fly likes How are session IDs generated? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Products » Tomcat
Bookmark "How are session IDs generated?" Watch "How are session IDs generated?" New topic
Author

How are session IDs generated?

Ulf Dittmer
Rancher

Joined: Mar 22, 2005
Posts: 42958
    
  73
I assume they are a hash of something, but does anyone know more about the algorithm? Like which pieces of information go into the hash, and within which timeframe IDs could conveivably collide? Any links are appreciated as well.

Thanks,
Ulf
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 13001
    
    5
Why not look at the Tomcat source code?
Bill
Ulf Dittmer
Rancher

Joined: Mar 22, 2005
Posts: 42958
    
  73
I know, the source is my friend. But I was hoping that someone had more insight, or had done the source-spelunking already.

Edited later: The session ID is a 16 byte random number, run thorough a digest (MD5 by default), and then converted to Hex.
[ August 01, 2005: Message edited by: Ulf Dittmer ]
David Spades
Ranch Hand

Joined: Feb 01, 2014
Posts: 321
just being curious. lets say several users (user A, B, C, D and E) interacted with server.
and then, the server is restarted, so all sessions are all destroyed.
then comes user F and F also got new session. my question is, is it possible the newly generated session id to be the same as sessions still retained by user A - E?
if it is, then this would be a security breach as user other than F theoretically will have access to F's data.
is this the case with tomcat?
thanks
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 17033
    
  26

Actually, the default behavior for recent versions of Tomcat if the server is restarted is that the sessions persist over the restart (they're stored in the work directory as ".ser" files).

The sessionid-generating algorithm, like all hash algorithms can potentially come up with an identical ID, but the whole point of designing the algorithm is to minimize that possibility. I like Brockschmidt's quote about the chances of 2 GUIDs generating the same as "about as likely a a bunch of atoms out in space suddenly rushing together to form a small walnut".

Incidentally, if you switch from normal to SSL security in Tomcat, the session remains, but the old jsessionID is discarded and a brand-new one is generated. It still refers to the same session, but that way people cannot tap into secured communications using the unsecured handle that was public visible (unencrypted) - it's no longer attached to anything.


An IDE is no substitute for an Intelligent Developer.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How are session IDs generated?
 
It's not a secret anymore!