"Remy Maucherat" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
pero 2005/04/15 13:15:45
Modified: catalina/src/share/org/apache/catalina Cluster.java catalina/src/share/org/apache/catalina/session ManagerBase.java Log: Refactoring and redesign cluster
+ // FIXME WHy we need no duplication check?
Because it would mean id generation is extremely insecure, so we would have more urgent problems ;)
I agree with Remy. Before we had the duplication check, we *did* get reports of duplicate ids. I'm -1 for the ManagerBase patch.
Small precision (I think Bill got it right, but his statement isn't very clear): these duplicate id problems were caused by a race condition during the recycling of session objects (session objects were put twice in the recycled list, sometimes, causing two users with different session ids to share the same session object - this was in the 4.1.18 timeframe). As recycling was removed (since it was a really bad idea), there is now no issue.
The session id space is 128bit, populated by a secure (until proven otherwise; some studies tend to show it is good) random generator, so we *cannot* get collisions. Getting collisions would mean the generator is extremely insecure (since I assume the number of ids generated would be on the order of 10^6), and as stated this would mean a much bigger problem than the impact of getting a duplicate id once in a while.
Conclusion: any check for duplicate session ids is useless.
Rémy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
