Skip to content

@johnrengelman johnrengelman released this Apr 24, 2019 · 95 commits to master since this release

This release fixes a security vulnerability around session ID generation and is recommended for all users.

The issue stems from the default session ID generator using a cryptographically weak pseudo random number generator in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs. 1.6.1 uses system entropy when generating values to make the values non determinable.

If you are using client side sessions, your application is not vulnerable as the session ID is not used.

If you are using a version earlier than 1.6, you can fix the the issue by binding a custom SessionIdGenerator implementation based on the new version.

Special thanks to Jonathan Leitschuh for discovering and reporting this vulnerability.

Assets 2
You can’t perform that action at this time.