the loop. It should look like this:
String sessionId = generateSessionId();
String jvmRoute = getJvmRoute();
// @todo Move appending of jvmRoute generateSessionId()???
if (jvmRoute != null) {
sessionId += '.' + jvmRoute;
}
synchronized (sessions) {
while (sessions.get(sessionId) != null){ // Guarantee uniqueness
sessionId = generateSessionId();
if (jvmRoute != null) {
sessionId += '.' + jvmRoute;
}
}
}
session.setId(sessionId);
return (session);
Remy Maucherat wrote:
Glenn Olander wrote:
I can also report that I've seen this happen when the system is
under load. We had a
user log in and gain access to another user's session. I'm sure
you can understand that
makes it a very serious bug for security-sensitive applications,
perhaps even deserving
some kind of security alert announcement.
Tim's patch is robust and seems like a good candidate for
inclusion in the source
at the earliest opportunity since it ensures that no duplicate
session id's will be
commisioned (and ManagerBase already uses SecureRandom).
Bill enabled the (ugly but very safe) code for getting rid of duplicates. That will be in 4.1.x, at least for now.
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
