Hello, The current implementation of getRequestId() is optimized for speed and generates IDs that are unique to a running instance of Tomcat.
But most server configurations nowadays require uniqueness across the whole system, and currently we do not offer that as: 1. Request IDs are only unique to a running Tomcat instance 2. Request IDs are reset to 0 each time Tomcat is restarted 3. Request IDs are sometimes generated by another system like a load balancer or reverse proxy, and passed around via the HTTP header "X-Request-Id" I want to propose a patch that would: 1. Check for HTTP header "X-Request-Id" and if valid (e.g. does not attempt SQL or XSS injection etc.) returns it 2. Generates a URL-safe Base64-encoded UUID (22 CaSe sensitive characters) The value will be set to the requestId private variable to ensure consistent return value for multiple calls on the same Request. I have the code ready, but wanted to discuss the matter here first. Thank you, Igal
