What prevents Tomcat from issuing duplicate session IDs? From the code in ManagerBase, it doesn't look like anything prevents it - the only unique value in the ID is a random number. In fact, the code which would guarantee uniqueness is commented out.
I believe we have seen a problem with duplicate session ids on our production (high-traffic) site. It's hard to say exactly because the problem is very rare, but we have had at least two reports from users that they log in and see data from other people's accounts. If Tomcat is generating session ids randomly, this is a _HUGE_ problem. Why not just include a monotonically increasing integer in the session string? Thanks, Jeff Schnitzer [EMAIL PROTECTED] The Sims Online -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
