Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How unique is the HttpSession ID?

Tags:

java

servlets

session

session-cookies

I am going to uniquely identify a user by storing a unique ID in his/her cookie. HttpSession ID is a good choice from my google search. Just wanted to know how unique it is ? Is it unique to the webcontainer or once it expires , will it get regenerated ? If it repeats, all my user login can go for a toss.Need some expert opinion on using sessonID as a unique identifier for my users.

like image 211
Tito Avatar asked Oct 21 '12 13:10

Tito

People also ask

Are session IDs unique?

A session ID is a unique number that a Web site's server assigns a specific user for the duration of that user's visit (session). The session ID can be stored as a cookie, form field, or URL (Uniform Resource Locator). Some Web servers generate session IDs by simply incrementing static numbers.

How is a session ID generated?

The session ID is generated using the Random Number Generator (RNG) cryptographic provider. The service provider returns a sequence of 15 randomly generated numbers (15 bytes x 8 bit = 120 bits). The array of random numbers is then mapped to valid URL characters and returned as a string.

Are session IDs sensitive?

Session IDs are sensitive information that may allow an attacker to steal, modify and/or destroy information once they obtain one. Information sent via URL parameters is: Stored in clear text in the browser history. Sent to external sites via the referrer HTTP header.

What is session ID example?

The session ID can be defined by a command line option or a resource. The session ID can be a single value; for example “Smith". A set of session Ids can be defined; for example, Smith+n where n is 3 would make 3 session Ids available, “Smith1", “Smith2", and “Smith3".

2 Answers

Session IDs are unique and meaningful only for the lifetime of a session. A session ID identifies a session: nothing more, nothing less. It does not identify a user.

You cannot and should not rely on session IDs ever being reused, let alone for the same user.

like image 122
Matt Ball Avatar answered Sep 18 '22 19:09

Matt Ball

A session ID must uniquely identify a session on a server, or on a cluster of servers. You don't have any guarantee of uniqueness across restarts. Why don't you simply use a database sequence, or a UUID?

like image 28
JB Nizet Avatar answered Sep 19 '22 19:09

JB Nizet
Sign in to Comment

Related questions

Why can't ant run Main when the JVM can
JFreeChart with highlighted points
Find out if the calling thread is the SWT UI thread - determine the calling thread
Junit mockito when(..).thenReturn() throws NullPointerException
Parse xml from httppost response
Hold session in stateful EJB 3.1 bean?
Mouse pointer detection over a Path2D
Grails 2.1.0 Not Auto-Reloading / Auto-Recompiling
Serialize one class in two different ways with Jackson
500,000 street names - what data structure and to use to implement a fast search?
JFreeChart Legend Display
Do "if" statements affect in the time complexity analysis?
Where to put context.xml with Eclipse WTP?
Infinite loop when deploying a war on tomcat 7
Java: For each loop , Iteration over extended objects
Garbage collection of private fields
How to avoid old style outer join (+) in Hibernate?
Adding 2 or more objects to JFrame
class not found FOP
Java dynamic return type?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!