Is it possible to modify the length of the session ids that jboss generates?
The default session id length of 16 bytes is specified in org.jboss.web.tomcat.tc5.session.JBossManager and this class contains a setSessionIdLength method, but this appears never to be called.
The method of setting the session id length in stand-alone Tomcat by specifying a Manager element in the server.xml file seems to be ignored in the embedded Tomcat.
Found it (although this may not be available in JBoss < 4.0.0). The there is an MBean parameter in the Manager MBean un der jboss.web for the web application you wish to change the session id length for.