[jboss-user] [Tomcat, HTTPD, Servlets & JSP] - Re: Duplicate sessionIds in cluster
do-not-reply at jboss.com
Wed Apr 25 10:06:38 EDT 2007
We also were having issues with what seemed to be generation of duplicate sessionIDs. But we were running two JBoss AS/JBossWeb servers in a non-clustered environment.
As a test I logged all generated sessionIDs and found that, over time, of the accumulated 5300 sessionIDs generated on the two servers, 153 of them were created on both servers (duplicates). None were duplicates within the same server though.
So from what I can gather, that is a probable cause for some issues we were having.
A temprorary fix was to make tomcat generate longer sessionId on one of the servers in order to be truly unique.
(sat the sessionIdLength attribute in deploy/jbossweb-tomcat55.sar/context.xml)
I think in order to be even more secure, we need to write some code that prevent anyone from "faking" a sessionID to "steal" another users session.
Found some hints here:http://en.wikipedia.org/wiki/Session_fixation
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4040608#4040608
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4040608
More information about the jboss-user