CDV ❯ duplicate sessions IDs are possible in TC sessions

• Type: Bug
• Status: Closed
• Priority: 2 Major
• Resolution: Fixed
• Component/s: Sessions
• Labels:

• Assignee: teck
• Reporter: teck
• Created: August 28, 2008
• Votes: 0
• Watchers: 0
• Updated:

  April 10, 2009
• Resolved:

  February 28, 2009

Description

The ID generator for TC sessions does not guarantee that a unique session ID will be created for new sessions. DefaultIDGenerator uses a SecureRandom and a local only counter, but that only makes the chances for a collision very small, it does not ensure there not be a collision. The ID generator will need to cooperate with the data store to ensure that key does not exist before allowing to be issued to a request for a new session

The problem gets worse when multiple contexts are clustered that all have the same context path (but differing vhosts) (see CDV-206) since the root for the session data store will be come to common to all of those contexts.

Comments

Tim Eck 2008-12-16

We should also change the ID generator to use more characters. There is no reason we can’t use the entire range A-Z,a-z,0-9 in the ID. The key space would be much larger in this case. Right now all we use is A-F,0-9

nadeem ghani 2009-04-08

unit test added