How is a sessionID generated?

Question

When running a java web application with the servlet api (like JSF or JSP pages), somewhere along the line a 'unique' SessionID is generated to identify the user's session.

I'm wondering how these sessionID's are generated. Do they include the IP of the client? A timestamp? Random numbers?

Secondly, I'm wondering where this generation happens? Is this dependent on the server that runs the application?

Answer 1

It is container specific. Tomcat: http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Manager

Answer 2

A java.security.MessageDigest algorithm is normally used.

Usually the generated ID is just a set of random numbers, up until the required length, but it varies according to the algorithms used in the various servlet containers.

In Tomcat6, for example, have a look at:

ManagerBase.sessionIdLength

and

ManagerBase.createSession() //which calls generateSessionId()

See http://www.docjar.com/html/api/org/apache/catalina/session/ManagerBase.java.html

Answer 3

http://docs.oracle.com/cd/E17802_01/products/products/servlet/2.3/javadoc/javax/servlet/http/HttpSession.html#getId()

"The identifier is assigned by the servlet container and is implementation dependent."

The jsessionid is generated whenever a new session is created.