[jboss-jira] [JBoss JIRA] (WFLY-7511) Undertow 'session-id-length' not working properly

Stuart Douglas (JIRA) issues at jboss.org
Mon Nov 7 23:37:00 EST 2016 

     [ https://issues.jboss.org/browse/WFLY-7511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stuart Douglas moved JBEAP-6959 to WFLY-7511:
---------------------------------------------

              Project: WildFly  (was: JBoss Enterprise Application Platform)
                  Key: WFLY-7511  (was: JBEAP-6959)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: Web (Undertow)
                           (was: Web (Undertow))
    Affects Version/s:     (was: 7.0.0.CR2)


> Undertow 'session-id-length' not working properly
> -------------------------------------------------
>
>                 Key: WFLY-7511
>                 URL: https://issues.jboss.org/browse/WFLY-7511
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>            Reporter: Stuart Douglas
>            Assignee: Stuart Douglas
>            Priority: Minor
>
> Attribute {{session-id-length}} of servlet-container:
> {code}
> /subsystem=undertow/servlet-container=default:read-resource-description[session-id-length]
> {code}
> does not work exactly the way its description says:
> {code}
> "description" => "The length of the generated session ID. Longer session ID's are more secure.",
> {code}
> When I change it's value to {{X}}, actual result value of servlet session ID is {{((X + 2) / 3) * 4}}, [see this line of code|https://github.com/undertow-io/undertow/blob/master/core/src/main/java/io/undertow/server/session/SecureRandomSessionIdGenerator.java#L66]. I am not sure what is the reason of this (probably to get some close greater number that can be divided by 4?).
> Please there should be either:
>  - changed code so result session ID has length that corresponds to what user set
>  - or update attribute description to explain user properly what is actually set
> Note: [here is the Jira for which this feature has been introduced into Wildfly|https://issues.jboss.org/browse/WFLY-3642].



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list