Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Documenting session ID generation conflict #6

merged 1 commit into from

2 participants


The potential conflict has been reported in issue #4.

Jens Rantil Documenting session ID generation conflict.
The potential conflict has been reported in issue #4.
@victori victori merged commit 9bdb2c0 into victori:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 20, 2012
  1. Documenting session ID generation conflict.

    Jens Rantil authored
    The potential conflict has been reported in issue #4.
This page is out of date. Refresh to see the latest.
Showing with 22 additions and 0 deletions.
  1. +22 −0 src/java/com/base/
22 src/java/com/base/
@@ -95,8 +95,30 @@ public void invalidateAll(final String arg0) {
// idmanager
+ /**
+ * Generate a new session.
+ *
+ * This session id generator can, in theory, generate overlapping session
+ * ID:s since no locking is performed between SessionIdManagers that are
+ * running on different JVMs (synchronized (...) { } only synchronizes
+ * within one JVM).
+ *
+ * <p> The risk of this happening can be minimized by making sure that the
+ * session-to-be-created is added to the backend as fast as possible so that
+ * {@link #idInUse(String)} calls will return false. If the backend is of
+ * replicated nature, or L1/L2, or is crucial that writes are pushed there
+ * as fast as possible (that is, minimize replication delay).
+ *
+ * <p> Of course, only doing session generation on one server will remedy
+ * this problem.
+ */
public String newSessionId(final HttpServletRequest request, final long created) {
synchronized (this) {
+ // Since this synchronization is only applicable to the running
+ // JVM, multiple session id generators could potentially (in theory)
+ // concurrently be generating the same ID. See JavaDoc for this
+ // method for details.
// A requested session ID can only be used if it is in use already.
String requested_id = request.getRequestedSessionId();
Something went wrong with that request. Please try again.