Menu
We need to change the session ID length generated by tomcat. By default it is 32 bytes, unfortunately we need a session ID length of 20. Looking online I can see the StandardManager seems to manage this which extends PersistanceManager.
Does anyone know if the sessionIdLength can be modified in the tomcat config? If so what files?
An alternative would be to create a custom Manager which simply overrides/sets the sessionidLength. Is this possible? How do you tell tomcat to use the custom manager in the config?
977
Session identifiers should be at least 128 bits long to prevent brute-force session guessing attacks. The WebLogic deployment descriptor should specify a session identifier length of at least 128 bits. A shorter session identifier leaves the application open to brute-force session guessing attacks.
Tomcat's session ID is only unique within all existing active sessions. The Servlet spec does not forbid to reuse the ID of an expired session for a new session at some point, months or years later. With a fixed length 32-char hexadecimal string as session ID, all possible IDs are not "unlimited".
The SessionID property is used to uniquely identify a browser with session data on the server. The SessionID value is randomly generated by ASP.NET and stored in a non-expiring session cookie in the browser. The SessionID value is then sent in a cookie with each request to the ASP.NET application.
A Session is the Catalina-internal facade for an HttpSession that is used to maintain state information between requests for a particular user of a web application.
Yes, you can modify the StandardManager via config file. The Manager element can be nested inside any Context.
So, modify whichever config file has your Context. It might be the server.xml located in the conf directory. Or a context.xml located in the META-INF directory of your war file.
To provide a default for the entire server, edit your $CATALINA_HOME/conf/context.xml. Uncomment the Manager line, and add the sessionIdLength attribute.
<Manager sessionIdLength="10" />
Add the sessionIdLength attribute to the element of your Tomcat's context.xml (or wherever you're manager is defined).
Incidentally, the docs say that the default is 16, not 32.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
