Thanks. I installed my own Manager with a fix similar to yours and it
seems to solve
the problem (I used a contrived Random class to generate duplicate
session id's).
This certainly sounds like a serious bug to me. If there's a mechanism
in place to
warn tomcat users about security problems, I'd recommend doing so, in
addition
to applying the patch. Speaking of which, I may be wrong, but I don't
think your
patch is quite right. You'll need to append the jvmRoute _before_ doing the
sessions.get() call, and again each time inside the loop. In other
words, I believe
it should look like this:
String sessionId = generateSessionId();
String jvmRoute = getJvmRoute();
// @todo Move appending of jvmRoute generateSessionId()???
if (jvmRoute != null) {
sessionId += '.' + jvmRoute;
}
synchronized (sessions) {
while (sessions.get(sessionId) != null){ // Guarantee
uniqueness
log("Found duplicate session id, getting a new one.");
sessionId = generateSessionId();
if (jvmRoute != null) {
sessionId += '.' + jvmRoute;
}
}
}
session.setId(sessionId);
return (session);
- Glenn
Tim Funk wrote:
> See this thread for more information:
>
> http://marc.theaimsgroup.com/?l=tomcat-dev&m=104072138429223&w=2
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>