You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by lu...@apache.org on 2004/02/09 19:30:38 UTC
cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session ManagerBase.java mbeans-descriptors.xml
luehe 2004/02/09 10:30:38
Modified: catalina/src/share/org/apache/catalina Manager.java
catalina/src/share/org/apache/catalina/session
ManagerBase.java mbeans-descriptors.xml
Log:
Added support for configurable session id length
Revision Changes Path
1.7 +22 -4 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/Manager.java
Index: Manager.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/Manager.java,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- Manager.java 13 Jan 2004 01:39:36 -0000 1.6
+++ Manager.java 9 Feb 2004 18:30:38 -0000 1.7
@@ -164,6 +164,24 @@
public void setMaxInactiveInterval(int interval);
+ /**
+ * Gets the session id length (in bytes) of Sessions created by
+ * this Manager.
+ *
+ * @return The session id length
+ */
+ public int getSessionIdLength();
+
+
+ /**
+ * Sets the session id length (in bytes) for Sessions created by this
+ * Manager.
+ *
+ * @param sessionIdLength The session id length
+ */
+ public void setSessionIdLength(int idLength);
+
+
// --------------------------------------------------------- Public Methods
1.25 +61 -24 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/ManagerBase.java
Index: ManagerBase.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/ManagerBase.java,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- ManagerBase.java 26 Jan 2004 20:19:11 -0000 1.24
+++ ManagerBase.java 9 Feb 2004 18:30:38 -0000 1.25
@@ -119,13 +119,6 @@
/**
- * The number of random bytes to include when generating a
- * session identifier.
- */
- protected static final int SESSION_ID_BYTES = 16;
-
-
- /**
* The message digest algorithm to be used when generating session
* identifiers. This must be an algorithm supported by the
* <code>java.security.MessageDigest</code> class on your platform.
@@ -187,6 +180,12 @@
/**
+ * The session id length of Sessions created by this Manager.
+ */
+ protected int sessionIdLength = 16;
+
+
+ /**
* The descriptive name of this Manager implementation (for logging).
*/
protected static String name = "ManagerBase";
@@ -488,6 +487,36 @@
/**
+ * Gets the session id length (in bytes) of Sessions created by
+ * this Manager.
+ *
+ * @return The session id length
+ */
+ public int getSessionIdLength() {
+
+ return (this.sessionIdLength);
+
+ }
+
+
+ /**
+ * Sets the session id length (in bytes) for Sessions created by this
+ * Manager.
+ *
+ * @param sessionIdLength The session id length
+ */
+ public void setSessionIdLength(int idLength) {
+
+ int oldSessionIdLength = this.sessionIdLength;
+ this.sessionIdLength = idLength;
+ support.firePropertyChange("sessionIdLength",
+ new Integer(oldSessionIdLength),
+ new Integer(this.sessionIdLength));
+
+ }
+
+
+ /**
* Return the descriptive short name of this Manager implementation.
*/
public String getName() {
@@ -496,8 +525,9 @@
}
- /** Use /dev/random-type special device. This is new code, but may reduce the
- * big delay in generating the random.
+ /**
+ * Use /dev/random-type special device. This is new code, but may reduce
+ * the big delay in generating the random.
*
* You must specify a path to a random generator file. Use /dev/urandom
* for linux ( or similar ) systems. Use /dev/random for maximum security
@@ -828,23 +858,30 @@
* Generate and return a new session identifier.
*/
protected synchronized String generateSessionId() {
- byte bytes[] = new byte[SESSION_ID_BYTES];
- getRandomBytes( bytes );
- bytes = getDigest().digest(bytes);
+
+ byte random[] = new byte[16];
// Render the result as a String of hexadecimal digits
StringBuffer result = new StringBuffer();
- for (int i = 0; i < bytes.length; i++) {
- byte b1 = (byte) ((bytes[i] & 0xf0) >> 4);
- byte b2 = (byte) (bytes[i] & 0x0f);
- if (b1 < 10)
- result.append((char) ('0' + b1));
- else
- result.append((char) ('A' + (b1 - 10)));
- if (b2 < 10)
- result.append((char) ('0' + b2));
- else
- result.append((char) ('A' + (b2 - 10)));
+ int resultLenBytes = 0;
+ while (resultLenBytes < this.sessionIdLength) {
+ getRandomBytes(random);
+ random = getDigest().digest(random);
+ for (int j = 0;
+ j < random.length && resultLenBytes < this.sessionIdLength;
+ j++) {
+ byte b1 = (byte) ((random[j] & 0xf0) >> 4);
+ byte b2 = (byte) (random[j] & 0x0f);
+ if (b1 < 10)
+ result.append((char) ('0' + b1));
+ else
+ result.append((char) ('A' + (b1 - 10)));
+ if (b2 < 10)
+ result.append((char) ('0' + b2));
+ else
+ result.append((char) ('A' + (b2 - 10)));
+ resultLenBytes++;
+ }
}
return (result.toString());
1.4 +10 -0 jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/mbeans-descriptors.xml
Index: mbeans-descriptors.xml
===================================================================
RCS file: /home/cvs/jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session/mbeans-descriptors.xml,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- mbeans-descriptors.xml 10 Dec 2003 23:00:36 -0000 1.3
+++ mbeans-descriptors.xml 9 Feb 2004 18:30:38 -0000 1.4
@@ -52,6 +52,11 @@
created by this Manager"
type="int"/>
+ <attribute name="sessionIdLength"
+ description="The session id length (in bytes) of Sessions
+ created by this Manager"
+ type="int"/>
+
<attribute name="name"
description="The descriptive name of this Manager implementation
(for logging)"
@@ -175,6 +180,11 @@
<attribute name="maxInactiveInterval"
description="The default maximum inactive interval for Sessions
+ created by this Manager"
+ type="int"/>
+
+ <attribute name="sessionIdLength"
+ description="The session id length (in bytes) of Sessions
created by this Manager"
type="int"/>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
Re: cvs commit: jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/session
ManagerBase.java mbeans-descriptors.xml
Posted by Remy Maucherat <re...@apache.org>.
luehe@apache.org wrote:
> luehe 2004/02/09 10:30:38
>
> Modified: catalina/src/share/org/apache/catalina Manager.java
> catalina/src/share/org/apache/catalina/session
> ManagerBase.java mbeans-descriptors.xml
> Log:
> Added support for configurable session id length
+1 for this. Obviously security is significantly lower, but I got
requests for this in my previous job (cellphones related), when cookies
are not allowed and the URLs should stay short :)
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org