3

Is there any way to configure(xml) tomcat (6.x) to generate unique SessionId. (Without extending ManagerBase/StandardManager).

Improve this question
2
  • 3
    The answer is "no" (not without extending the manager). But doesn't your Tomcat generate unique session IDs by default already? It should do. What exactly is the problem you're having with it? Commented Oct 4, 2011 at 15:52
  • I am capturing user login details in db table,with Session Id in a column with unique constraint,and am getting unique constraint exception Commented Oct 4, 2011 at 16:48

3 Answers 3

Reset to default
6

I am capturing user login details in db table,with Session Id in a column with unique constraint,and am getting unique constraint exception

You should not store the Tomcat-generated session ID as an unique constraint in the DB. This makes no sense. Tomcat's session ID is only unique within all existing active sessions. The Servlet spec does not forbid to reuse the ID of an expired session for a new session at some point, months or years later. With a fixed length 32-char hexadecimal string as session ID, all possible IDs are not "unlimited". You can't prevent it from being reused for a different client at some point.

I do not understand why you would ever store a Tomcat-generated session ID in the DB lifetime long. You should remove it from the DB whenever it has expired. Or you should solve your problem differently. As you didn't state anything about the functional requirement behind this "solution", I cannot give a more suited answer. Here are however some hints:

  • Do it the other way round: insert or select the necessary data in/from DB, get the DB-generated ID and store it as an attribute of the HttpSession. For example the logged-in user ID, or just the whole User object.

  • Or, if it needs to expand the default lifetime of a session, e.g. "Remember me" option, then you should generate an UUID yourself (and test if it doesn't exist in DB yet) and use it in a separate cookie instead.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I was trying to track user logged-in time and was thinking of setting sessionid in db as null on logout,session-expiry and on startup.Now I will store db-generated id in session.Thanks
2

I'm working on this issue myself, and I'd like to mention that it is possible to generate a guaranteed unique ID using 128 bits (32 hexadecimal digits) using UUID. It is based on UTC time, and is guaranteed to be unique as long as the usec timestamps at which different UUID are generated are different.

See also RFC4122: https://www.ietf.org/rfc/rfc4122.txt

Java has a standard class for generating these IDs:
http://docs.oracle.com/javase/6/docs/api/java/util/UUID.htm

Improve this answer

1 Comment

It depends on whether security is a concern. In this case I believe it isn't, since it's apparently only used for internal database storage (the same as my case), and not for browser sessions.
0

Just use a compound primary key, as CONSTRAINT PRIMARY KEY ("SID" , datum);

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.