All geek questions in one place

Is jSessionId really unique?

To add some context, I am developing an API to track user activity on a site (also anonymous users). So far, we have used jsessionId to identify each user and his actions.

This API now works on Tomcat and JBoss.

Actually, the question is, since we analyze all the data one day, in any way, the uniqueness of this jsessionId is guaranteed throughout the day? Or, not at the same time, can another user get the same jsessionId that was previously used by another?

Thanks in advance.

+6
source share
1 answer

Sorry, this is not indicated. He was supposed to be the only one for this jvm at this point in time. That is, session identifiers can be reused several times a day while no one else has a session. I agree that most actual implementations can provide a more reliable guarantee, but I don't think you can count on that.

Take a look at this mailing list - in it people discuss reusing session identifiers in both tomcat and tar.

So, basically the assumption that the session identifier is unique, is valid only until the session is destroyed.

+7
source

Source: https://habr.com/ru/post/887317/

More articles:


All Articles