• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • paul wheaton
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Tim Moores
  • Carey Brown
  • Mikalai Zaikin
Bartenders:
  • Lou Hamers
  • Piet Souris
  • Frits Walraven

Increase the complexity of jsessionId

 
Ranch Hand
Posts: 104
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,
For some security reasons i want to increase the complexity of jsessionid created in tomcat.I would like to create a stronger session id with capitals,lowercases,numbers and punctuation marks for the higher security.Is it possible to do?does tomcate allow such customization?

Regards,
Surya
 
Author and all-around good cowpoke
Posts: 13078
6
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This requirement makes no sense to me. Session ids are generated automatically by the servlet container and are guaranteed to be unique.

Any conceivable security attack would involve grabbing the session ID in transit, the complexity would make no difference.

What kind of security concerns are you most worried about? The answer might get you more useful suggestions.

Bill
 
Saloon Keeper
Posts: 28073
198
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You could always hack the source code. But unless you have formal training in cryptology, I'd be very careful about "improving" their algorithm. Most "clever" amateur security schemes have basic fatal flaws in them. The industry-standard algorithms have all been mathematically vetted by pros. And even then occasionally a loophole gets discovered.

According to my estimate, the likelihood of anyone randomly constructing a sessionid identical to the one that JavaRanch is using for me is 37**32, which may not be a googol (sic), but it's close enough for all intents and purposes that given current CPU and network speeds, no one is likely to randomly hit on it in time to do any good (or harm).

Of far more import is whether or not you hide the sessionid by using https (encrypted) connections.
 
A wop bop a lu bob a womp bam boom. Tutti frutti ad:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic