• Bug
  • Status: Closed
  • 2 Major
  • Resolution: Fixed
  • Sessions
  • teck
  • Reporter: teck
  • August 28, 2008
  • 0
  • Watchers: 0
  • April 10, 2009
  • February 28, 2009


The ID generator for TC sessions does not guarantee that a unique session ID will be created for new sessions. DefaultIDGenerator uses a SecureRandom and a local only counter, but that only makes the chances for a collision very small, it does not ensure there not be a collision. The ID generator will need to cooperate with the data store to ensure that key does not exist before allowing to be issued to a request for a new session

The problem gets worse when multiple contexts are clustered that all have the same context path (but differing vhosts) (see CDV-206) since the root for the session data store will be come to common to all of those contexts.


Tim Eck 2008-12-16

We should also change the ID generator to use more characters. There is no reason we can’t use the entire range A-Z,a-z,0-9 in the ID. The key space would be much larger in this case. Right now all we use is A-F,0-9

nadeem ghani 2009-04-08

unit test added