Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-4289

Undertow 'session-id-length' not working properly

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Minor
    • 7.1.0.DR8
    • 7.0.0.CR2
    • Undertow
    • None

    Description

      Attribute session-id-length of servlet-container:

      /subsystem=undertow/servlet-container=default:read-resource-description[session-id-length]

      does not work exactly the way its description says:

      "description" => "The length of the generated session ID. Longer session ID's are more secure.",

      When I change it's value to X, actual result value of servlet session ID is ((X + 2) / 3) * 4, see this line of code. I am not sure what is the reason of this (probably to get some close greater number that can be divided by 4?).

      Please there should be either:

      • changed code so result session ID has length that corresponds to what user set
      • or update attribute description to explain user properly what is actually set

      Note: here is the Jira for which this feature has been introduced into Wildfly.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. WFLY-7511 Undertow 'session-id-length' not working properly

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          relates to

          Feature Request - Feature requests from customers and/or users WFLY-3642 Make length of session id configurable

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Activity

            People

              sdouglas1@redhat.com Stuart Douglas
              jstourac@redhat.com Jan Stourac
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: