Hmm, looking at undertow/SecureRandomSessionIdGenerator.java at master · undertow-io/undertow · GitHub I get the picture that it's 30 but perhaps the default implementation is another. I haven't checked how the implementations are selected and is there a way of picking another implementation. Is there a reason why not just increase the column size?
We can increase the column size, but for our situation, each client has its own database schema, changing database means we have to touch all the schema and all the tables related to this. It is doable, but I hope to find a way to avoid production downtime.
I saw this link talks about similiar thing, not sure if it applies to Wildfly 10
I don't think it applies since the class mentions Tomcat and WildFly is on Undertow nowadays. Perhaps someone from the Undertow team can shed some light on how the implementation class of the SessionIdGenerator interface is instantiated so you don't have to dig through the source. Of course replacing the implementing class with one of your own is possible but a hacked appserver is a maintenance burden. Usually(?) it's possible to increase the column length without downtime but if there is a lot of DB code it might require code changes, too.
1 of 1 people found this helpful
The session-id-length attribute on the <servlet-container> element in the undertow subsystem.
It is quite confusing though, it refers to the number of bytes of randomness that is used, however that is then base64 encoded which enlarges it by a third, you would need to use a value of 24 to get the result you want. From a security point of view though you are better off just making the column larger, as short session ID's can be a security risk.
I tried it, it works. I'll see if I should change database or just change configuration.
Thanks a lot for your help.