session IDs

[Cristian Southall <Cr...@poyntons.com.au>]

Hi.

My organisation is currently moving from an Oracle App Server environment to Tomcat. It would be nice to leverage Tomcat's convenient session management features but I have to convince my colleagues that the session IDs Tomcat issues are as 'secure' as those we currently build.

I understand that the security of a session ID - given that it does not actually encode any information (that I know of) - is simply how difficult it would be to anticipate or recreate the string Tomcat issues but I cannot find any info on how Tomcat arrives at the values offered as session IDs. 

I would greatly appreciate it if someone could point me towards some relevant documentation/resources on this matter.

Thanks very much,
Cristian   

HP JDV Ltd, its Directors and Associates declare that they from time to time hold interests in/and or earn brokerage, fees or other benefits mentioned in documents to clients.
Any securities recommendation contained in this document is unsolicited general information only. Do not act on a recommendation without first consulting your investment advisor to determine whether the recommendation is appropriate for your investment objectives, financial situation and particular needs.
HP JDV Ltd believes that any information or advice (including any securities recommendation) contained in this document is accurate when issued. However, HP JDV Ltd does not warrant its accuracy or reliability. HP JDV Ltd, its officers, agents and employees exclude all liability whatsoever, in negligence or otherwise, for any loss or damage relating to this document to the full extent permitted by law.

Re: session IDs

[Craig McClanahan <Cr...@eng.sun.com>]

Cristian Southall wrote:

> Hi.
>
> My organisation is currently moving from an Oracle App Server environment to Tomcat. It would be nice to leverage Tomcat's convenient session management features but I have to convince my colleagues that the session IDs Tomcat issues are as 'secure' as those we currently build.
>
> I understand that the security of a session ID - given that it does not actually encode any information (that I know of) - is simply how difficult it would be to anticipate or recreate the string Tomcat issues but I cannot find any info on how Tomcat arrives at the values offered as session IDs.
>

One of the nice things about using open source software is that you can look straight to the source code for this.  For Tomcat 3.2beta 2, you would look at class org.apache.tomcat.util.SessionIdGenerator.  For Catalina (in the "jakarta-tomcat-4.0" workspace), the corresponding code is in org.apache.catalina.session.ManagerBase.  In both cases, the Java SecureRandom class is used to generate all or part of
the session identifier.

You can also choose to modify Tomcat yourself, replacing the session id generation code with your own -- and/or offer your improved versions back to Tomcat for inclusion.

> I would greatly appreciate it if someone could point me towards some relevant documentation/resources on this matter.

>
> Thanks very much,
> Cristian
>

Craig McClanahan


>
> HP JDV Ltd, its Directors and Associates declare that they from time to time hold interests in/and or earn brokerage, fees or other benefits mentioned in documents to clients.
> Any securities recommendation contained in this document is unsolicited general information only. Do not act on a recommendation without first consulting your investment advisor to determine whether the recommendation is appropriate for your investment objectives, financial situation and particular needs.
> HP JDV Ltd believes that any information or advice (including any securities recommendation) contained in this document is accurate when issued. However, HP JDV Ltd does not warrant its accuracy or reliability. HP JDV Ltd, its officers, agents and employees exclude all liability whatsoever, in negligence or otherwise, for any loss or damage relating to this document to the full extent permitted by law.