Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Session Id Length in Tomcat

Tags:

session

tomcat

We need to change the session ID length generated by tomcat. By default it is 32 bytes, unfortunately we need a session ID length of 20. Looking online I can see the StandardManager seems to manage this which extends PersistanceManager.

Does anyone know if the sessionIdLength can be modified in the tomcat config? If so what files?

An alternative would be to create a custom Manager which simply overrides/sets the sessionidLength. Is this possible? How do you tell tomcat to use the custom manager in the config?

like image 977
James Avatar asked Jul 15 '09 16:07

James

People also ask

What is the length of session ID?

Session identifiers should be at least 128 bits long to prevent brute-force session guessing attacks. The WebLogic deployment descriptor should specify a session identifier length of at least 128 bits. A shorter session identifier leaves the application open to brute-force session guessing attacks.

What is Tomcat session ID?

Tomcat's session ID is only unique within all existing active sessions. The Servlet spec does not forbid to reuse the ID of an expired session for a new session at some point, months or years later. With a fixed length 32-char hexadecimal string as session ID, all possible IDs are not "unlimited".

What is session ID value?

The SessionID property is used to uniquely identify a browser with session data on the server. The SessionID value is randomly generated by ASP.NET and stored in a non-expiring session cookie in the browser. The SessionID value is then sent in a cookie with each request to the ASP.NET application.

What is session in Tomcat?

A Session is the Catalina-internal facade for an HttpSession that is used to maintain state information between requests for a particular user of a web application.

2 Answers

Yes, you can modify the StandardManager via config file. The Manager element can be nested inside any Context.

So, modify whichever config file has your Context. It might be the server.xml located in the conf directory. Or a context.xml located in the META-INF directory of your war file.

To provide a default for the entire server, edit your $CATALINA_HOME/conf/context.xml. Uncomment the Manager line, and add the sessionIdLength attribute.

<Manager sessionIdLength="10" />
like image 117
Steve K Avatar answered Nov 16 '22 03:11

Steve K

Add the sessionIdLength attribute to the element of your Tomcat's context.xml (or wherever you're manager is defined).

Incidentally, the docs say that the default is 16, not 32.

like image 23
skaffman Avatar answered Nov 16 '22 04:11

skaffman
Sign in to Comment

Related questions

Vaadin 7 - Good framework but not for my project [closed]
Converting NSURLSessionDataTask into a Download task with Background support
How do I programmatically start an OAuth session?
What's the proper response to WM_ENDSESSION with ENDSESSION_CLOSEAPP and wParam == FALSE?
Programmatically keep HTTP Session Alive without browser
Play 2.0 access to request in templates
how to change session id after login in asp.net
PHP Session Id changes between pages
How to log out a user when a session times out or ends
What to use for session management?
In detail, what happens when you press Ctrl-C in a terminal?
Is there any limitations for google colab other than the session timeout after 12 hours?
problem saveOrUpdate object Hibernate (a different object with the same identifier session) [duplicate]
Error messages stored in SESSION
How to preserve session through all tests on phpunit?
Sessions Failover with PHP-memcache against memcached
ASP.NET Kill Session By Id
HttpContext.Current.Session is null + OWIN
Ensuring session strict mode in custom SessionHandlerInterface implementation
What are the advantages of tracking-mode SSL vs. COOKIE?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!