tags:

views:

892

answers:

2
+3  Q: 

Session Id Length in Tomcat

Hi,

We need to change the session ID length gerenated by tomcat. By default it is 32 bytes, unfortunatly we need a session ID length of 20. Looking online I can see the StandardManager seems to manage this which extends PersistanceManager.

Does anyone know if the sessionIdLength can be modified in the tomcat config? If so what files?

An alternative would be to create a custom Manager which simply overrides/sets the sessionidLength. Is this possible? How do you tell tomcat to use the custom manager in the config?

Any help/comments are appreciated,

James

+2  A: 

Yes, you can modify the StandardManager via config file. The Manager element can be nested inside any Context.

So, modify whichever config file has your Context. It might be the server.xml located in the conf directory. Or a context.xml located in the META-INF directory of your war file.

To provide a default for the entire server, edit your $CATALINA_HOME/conf/context.xml. Uncomment the Manager line, and add the sessionIdLength attribute.

<Manager sessionIdLength="10" />
Steve K  2009-07-15 17:01:39
Thanks for the response,I added the above line to my /conf/context.xml with no effect. I am not sure if this is an issue but I also have <Resource> and <Realm> tags in the contect.xml.
James  2009-07-16 07:00:48
I had to delete my JSESSIONID cookie, then restart Tomcat to get a shorter cookie. Tomcat by default will persist Session information to disk during a restart. So I think it was persisting the longer cookie, and loading it back on startup. So, try to delete you JSESSIONID cookie, restart Tomcat. Hopefully that will result in the desired result.
Steve K  2009-07-16 15:28:30
A: 

Add the sessionIdLength attribute to the element of your Tomcat's context.xml (or wherever you're manager is defined).

Incidentally, the docs say that the default is 16, not 32.

skaffman  2009-07-15 17:09:31

related questions

What is typically the length of your optimal coding session?
What's the most current, good practice, and easiest way to use sessions in PHP?
What can cause an ASP.NET worker process to be recycled?
How do I explicitly set asp.net sessions to ONLY expire on closing the browser or explicit logou?
session variable mixup in ASP.NET?
In Classic asp, can I store a database connection in the Session object?
What are the advantages and disadvantages of the Session Façade Core J2EE Pattern?
Different values of GetHashCode for inproc and stateserver session variables
Best way for allowing subdomain session cookies using Tomcat
Is there a way to specify a different session store with Tomcat?
PHP: $_SESSION - What are the pros and cons of storing temporarily used data in the $_SESSION variable
What is the best way to handle sessions for a PHP site on multiple hosts?
How much data can/should you store in a users session object?
ASP.Net Session_Start event not firing
Logging image downloads
ASP.Net: If I have the Session ID, Can I get the Session object?
Secure session cookies in ASP.NET over HTTPS
Django Sessions
Can I put an ASP.Net session ID in a hidden form field?
Always including the user in the django template context
Rails - recovering database from Production.log
Most efficient way to get data from the database to session
What is the best way to prevent session hijacking?
FOSS ASP.Net Session Replication Solution?
How do I best detect an ASP.NET expired session?