How to configure a digit number of session id (sessionIdLength) for web application in JBoss EAP 6.x
Environment
- Red Hat JBoss Enterprise Application Platform (EAP) 6.x
Issue
How do I configure a digit number of session id (sessionIdLength) for web application in JBoss EAP 6.x? Is there any similar configuration in EAP 5 like this article?
Resolution
JBoss EAP 6.4.8 and later
A system property was added in JBoss EAP 6.4.8 for adjusting the length of the session id. The new system property is called org.apache.catalina.session.ManagerBase.SESSION_ID_LENGTH. The behavior that sets the session id length based on the new system property is non-intuitive so you will have to use a formula to determine what you set org.apache.catalina.session.ManagerBase.SESSION_ID_LENGTH to.
((Desired-Session-ID-Length / 4) * 3) - 2
For example, if you want a session ID length of 40:
((40 / 4) * 3) -2 = 28
You would set org.apache.catalina.session.ManagerBase.SESSION_ID_LENGTH=28.
JBoss EAP 6.4.7 and earlier
As workaround, you can modify sessionIdLength attribute of JMX MBean jboss.web:type=Manager,host=default-host,path=/myapp after start-up with setting the following system property:
-Dorg.apache.tomcat.util.ENABLE_MODELER=true
Or you can try to use custom JBossWeb LifecycleListener like the following:
package com.redhat.jboss.support;
import org.apache.catalina.Lifecycle;
import org.apache.catalina.LifecycleEvent;
import org.apache.catalina.LifecycleListener;
import org.jboss.logging.Logger;
import org.apache.catalina.Context;
import org.apache.catalina.Manager;
public class SetSessionIdLengthListener implements LifecycleListener {
private static Logger log = Logger.getLogger(SetSessionIdLengthListener.class);
protected int sessionIdLength = 18;
public void lifecycleEvent(LifecycleEvent event) {
log.debug("SetSessionIdLengthListener#lifecycleEvent() is called.");
String type = event.getType();
if (Lifecycle.AFTER_START_EVENT.equals(type)) {
Context context = (Context) event.getSource();
Manager manager = (Manager) context.getManager();
log.debug("manager.setSessionIdLength(" + sessionIdLength + ")");
manager.setSessionIdLength(sessionIdLength);
}
}
public int getSessionIdLength() {
log.debug("SetSessionIdLengthListener#getSessionIdLength() is called. sessionIdLength = " + sessionIdLength);
return sessionIdLength;
}
public void setSessionIdLength(String value) {
log.debug("SetSessionIdLengthListener#setSessionIdLength() is called. " + value + " is set.");
this.sessionIdLength = Integer.parseInt(value);
}
}
then set it in <listener> in your web application's WEB-INF/jboss-web.xml like the following:
<jboss-web>
<listener>
<class-name>com.redhat.jboss.support.SetSessionIdLengthListener</class-name>
<param>
<param-name>sessionIdLength</param-name>
<param-value>18</param-value>
</param>
</listener>
</jboss-web>
Please see the attached example SetSessionIdLengthListener.tar.gz for details.
Note:
- A digit number of SessionId is computed from
((sessionIdLength + 2) / 3) * 4. sessionIdLength is 18 by default therefore a digit number of SessionId is 24 by default. - The maximum value is logically
Integer.MAX_VALUE(= 2147483647) but you will seejava.lang.ArrayIndexOutOfBoundsExceptionif it causes overflow the maximum size of the request and response HTTP header (8192 bytes by default) orjava.lang.OutOfMemoryErrorif you set loo large value.
Diagnostic Steps
Only EAP 6.4.7 and lower is missing it. System property "org.apache.catalina.session.ManagerBase.SESSION_ID_LENGTH" was introduced in CP08.
This content is not included.https://bugzilla.redhat.com/show_bug.cgi?id=1315598
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.