Glenn Olander wrote:
I can also report that I've seen this happen when the system is under load. We had aBill enabled the (ugly but very safe) code for getting rid of duplicates. That will be in 4.1.x, at least for now.
user log in and gain access to another user's session. I'm sure you can understand that
makes it a very serious bug for security-sensitive applications, perhaps even deserving
some kind of security alert announcement.
Tim's patch is robust and seems like a good candidate for inclusion in the source
at the earliest opportunity since it ensures that no duplicate session id's will be
commisioned (and ManagerBase already uses SecureRandom).
Experimentation on new and cleaner algorithms should happen in the 5.0.x branch first (and then it may be ported, although I'd say it shouldn't as the current code gets the job done relatively well and is tested).
Remy
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
