Skip to main content

sessionId generation, uniqueness, customizing sessionId

2 replies [Last post]
rwillie6
Offline
Joined: 2007-11-05

Questions:
1) How does glassfish generate sessionIds?
2) Are glassfish sessionIds unique to the machine and process? (e.g. assume X glassfish instances on X servers NOT running in a cluster, but each operating independently, are the sessionIds generated by each instance guaranteed to be unique?)

If the answer to #2 is no, is there a way to specify a custom sessionId generator? I found something (here: http://wiki.glassfish.java.net/Wiki.jsp?page=SupportWLDDInContainers) saying "GlassFish does not provide configuration support for session id length, but supports custom session id generation algorithms via the "sessionIdGeneratorClassname" session manager property".

However, I have had not been able to find much else online regarding the "sessionIdGeneratorClassname" session manager property. Any info about this? It's not mentioned in the GFv3 developer guide.

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
rwillie6
Offline
Joined: 2007-11-05

Okay, so, I went source diving to find this, but eventually got it.

Re #1: The sessionIds are generated by com.sun.enterprise.util.uuid.UuidUtil, which uses a combination of the following.

a) the 2 low bytes of the present time formatted
b) System.identityHashCode of the session instance
c) the ip addr of the machine plus some random
d) a random number from a SecureRandom

And all numbers are formated as hex.

So, Re #2: I'm not an expert on the theoretical guarantees of randomness, but I would classify this as pretty-damn-near-guaranteed-unique.

rwillie6
Offline
Joined: 2007-11-05

I also found a reference in the forums from 2007, saying:

"Notice that GlassFish lets you configure your own sessionId generation algorithm, specified as the value of the session-id-generator-classname attribute of the element in domain.xml. The specified class must implement the com.sun.enterprise.util.uuid.UuidGenerator interface."

link: http://forums.java.net/jive/message.jspa?messageID=242022#242022

And a reference from the Glassfish v3 Prelude Administration Guide saying that the property session-id-generator-classname is not implemented.

link: http://docs.sun.com/app/docs/doc/820-4507/6nfvg4rd8?a=view