-
1. Re: can sessionid length be changed in Wildfly10
nickarls Jun 8, 2016 2:47 PM (in response to hchenkwi)Hmm, looking at undertow/SecureRandomSessionIdGenerator.java at master · undertow-io/undertow · GitHub I get the picture that it's 30 but perhaps the default implementation is another. I haven't checked how the implementations are selected and is there a way of picking another implementation. Is there a reason why not just increase the column size?
-
2. Re: can sessionid length be changed in Wildfly10
hchenkwi Jun 8, 2016 3:01 PM (in response to nickarls)We can increase the column size, but for our situation, each client has its own database schema, changing database means we have to touch all the schema and all the tables related to this. It is doable, but I hope to find a way to avoid production downtime.
I saw this link talks about similiar thing, not sure if it applies to Wildfly 10
security - JBoss EAP 6 - How to change java sessionid length - Stack Overflow
Thanks, Helen
-
3. Re: can sessionid length be changed in Wildfly10
nickarls Jun 9, 2016 1:40 AM (in response to hchenkwi)I don't think it applies since the class mentions Tomcat and WildFly is on Undertow nowadays. Perhaps someone from the Undertow team can shed some light on how the implementation class of the SessionIdGenerator interface is instantiated so you don't have to dig through the source. Of course replacing the implementing class with one of your own is possible but a hacked appserver is a maintenance burden. Usually(?) it's possible to increase the column length without downtime but if there is a lot of DB code it might require code changes, too.
-
4. Re: can sessionid length be changed in Wildfly10
swd847 Jun 9, 2016 2:06 AM (in response to nickarls)1 of 1 people found this helpfulThe session-id-length attribute on the <servlet-container> element in the undertow subsystem.
It is quite confusing though, it refers to the number of bytes of randomness that is used, however that is then base64 encoded which enlarges it by a third, you would need to use a value of 24 to get the result you want. From a security point of view though you are better off just making the column larger, as short session ID's can be a security risk.
-
5. Re: can sessionid length be changed in Wildfly10
hchenkwi Jun 9, 2016 1:07 PM (in response to swd847)I tried it, it works. I'll see if I should change database or just change configuration.
Thanks a lot for your help.
Helen