You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Eric Waite <er...@readingplus.com> on 2007/01/17 14:59:48 UTC
Sessionid duplication
This has been addresses before I am sure, but I do not know where to
find the answer.
I have 3 Tomcat servers sitting behind a load balancer using sticky
sessions.
I do not have session replication working yet, the tomcats are standalone.
How do I prevent and what are the chances that a duplicate session id
is generated?
Thanks in advance.
--
Eric
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Sessionid duplication
Posted by Eric Waite <er...@readingplus.com>.
Thank you for the great explanation.
- Eric
David Delbecq wrote:
> By default, the manager generates 16 hexadecimal characters session
> identifiers. Those are generated by taking the first 16 characters of
> the md5 sum of a random byte[16]. If we assume (that might be a bit
> wrong) that all md5 sums are equiprobables, that means in the end that
> your session id is a 64bits random number.
>
> So that would mean that odds 2 session ids, over 30.000 sessions be same is
> 30.000/2^64 ~= 1.6263E-15
>
>
> However, you can still configure
> 1) the Algorithm to use (if md5 digest does not fits your needs)
> 2) the sessionIdLength you want to have on session id (eg 32 instead of 16)
> 3) as explained add a 'jvmroute' (because inside one manager checks are
> made that a session id is not yet used)
>
> If you extends session id key to length 24 (96 bits sessions
> identifier), you have
>
> 30.000/2^96 ~= 3.7865E-25
>
> full process details:
> http://svn.apache.org/repos/asf/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/session/ManagerBase.java
>
> En l'instant précis du 01/17/07 15:44, Eric Waite s'exprimait dans toute
> sa noblesse:
>
>> Very very small may be acceptable, what do you mean by very very
>> small...?
>> Would 30,000 unique sessions across 3 servers.... have a potential issue?
>>
>> Thanks.
>>
>> Eric
>>
>> Filip Hanik - Dev Lists wrote:
>>
>>> while there is a risk for duplicate sessions being generated, we
>>> believe it to be very very small.
>>> What you can do is set jvmRoute in the <Engine> element to be unique
>>> for each one, that makes it less likely to be duplicate.
>>> Or you can come up with a better random algorithm, take a look at
>>> org.apache.catalina.session.StandardManager
>>>
>>> Filip
>>>
>>> Eric Waite wrote:
>>>
>>>> This has been addresses before I am sure, but I do not know where to
>>>> find the answer.
>>>> I have 3 Tomcat servers sitting behind a load balancer using sticky
>>>> sessions.
>>>>
>>>> I do not have session replication working yet, the tomcats are
>>>> standalone.
>>>>
>>>> How do I prevent and what are the chances that a duplicate session
>>>> id is generated?
>>>>
>>>> Thanks in advance.
>>>>
>>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
Eric Waite
eric@readingplus.com
Taylor Associates
Phone: (631) 549-3000
Fax: (631) 549-3156
1-800-732-3758 Ex 317
Http://www.readingplus.com
Need Help, Visit our support website: http://www.readingplus.com/support/
Learn how to use Reading Plus http://www.readingplus.com/help/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Sessionid duplication
Posted by David Delbecq <de...@oma.be>.
By default, the manager generates 16 hexadecimal characters session
identifiers. Those are generated by taking the first 16 characters of
the md5 sum of a random byte[16]. If we assume (that might be a bit
wrong) that all md5 sums are equiprobables, that means in the end that
your session id is a 64bits random number.
So that would mean that odds 2 session ids, over 30.000 sessions be same is
30.000/2^64 ~= 1.6263E-15
However, you can still configure
1) the Algorithm to use (if md5 digest does not fits your needs)
2) the sessionIdLength you want to have on session id (eg 32 instead of 16)
3) as explained add a 'jvmroute' (because inside one manager checks are
made that a session id is not yet used)
If you extends session id key to length 24 (96 bits sessions
identifier), you have
30.000/2^96 ~= 3.7865E-25
full process details:
http://svn.apache.org/repos/asf/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/session/ManagerBase.java
En l'instant précis du 01/17/07 15:44, Eric Waite s'exprimait dans toute
sa noblesse:
> Very very small may be acceptable, what do you mean by very very
> small...?
> Would 30,000 unique sessions across 3 servers.... have a potential issue?
>
> Thanks.
>
> Eric
>
> Filip Hanik - Dev Lists wrote:
>> while there is a risk for duplicate sessions being generated, we
>> believe it to be very very small.
>> What you can do is set jvmRoute in the <Engine> element to be unique
>> for each one, that makes it less likely to be duplicate.
>> Or you can come up with a better random algorithm, take a look at
>> org.apache.catalina.session.StandardManager
>>
>> Filip
>>
>> Eric Waite wrote:
>>> This has been addresses before I am sure, but I do not know where to
>>> find the answer.
>>> I have 3 Tomcat servers sitting behind a load balancer using sticky
>>> sessions.
>>>
>>> I do not have session replication working yet, the tomcats are
>>> standalone.
>>>
>>> How do I prevent and what are the chances that a duplicate session
>>> id is generated?
>>>
>>> Thanks in advance.
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Sessionid duplication
Posted by Eric Waite <er...@readingplus.com>.
Very very small may be acceptable, what do you mean by very very small...?
Would 30,000 unique sessions across 3 servers.... have a potential issue?
Thanks.
Eric
Filip Hanik - Dev Lists wrote:
> while there is a risk for duplicate sessions being generated, we
> believe it to be very very small.
> What you can do is set jvmRoute in the <Engine> element to be unique
> for each one, that makes it less likely to be duplicate.
> Or you can come up with a better random algorithm, take a look at
> org.apache.catalina.session.StandardManager
>
> Filip
>
> Eric Waite wrote:
>> This has been addresses before I am sure, but I do not know where to
>> find the answer.
>> I have 3 Tomcat servers sitting behind a load balancer using sticky
>> sessions.
>>
>> I do not have session replication working yet, the tomcats are
>> standalone.
>>
>> How do I prevent and what are the chances that a duplicate session
>> id is generated?
>>
>> Thanks in advance.
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Eric Waite
eric@readingplus.com
Taylor Associates
Phone: (631) 549-3000
Fax: (631) 549-3156
1-800-732-3758 Ex 317
Http://www.readingplus.com
Need Help, Visit our support website: http://www.readingplus.com/support/
Learn how to use Reading Plus http://www.readingplus.com/help/
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Sessionid duplication
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
while there is a risk for duplicate sessions being generated, we believe
it to be very very small.
What you can do is set jvmRoute in the <Engine> element to be unique for
each one, that makes it less likely to be duplicate.
Or you can come up with a better random algorithm, take a look at
org.apache.catalina.session.StandardManager
Filip
Eric Waite wrote:
> This has been addresses before I am sure, but I do not know where to
> find the answer.
> I have 3 Tomcat servers sitting behind a load balancer using sticky
> sessions.
>
> I do not have session replication working yet, the tomcats are
> standalone.
>
> How do I prevent and what are the chances that a duplicate session id
> is generated?
>
> Thanks in advance.
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org