1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.eclipse.jetty.server.session;
20
21 import java.security.SecureRandom;
22 import java.util.Random;
23
24 import javax.servlet.http.HttpServletRequest;
25
26 import org.eclipse.jetty.server.SessionIdManager;
27 import org.eclipse.jetty.util.component.AbstractLifeCycle;
28 import org.eclipse.jetty.util.log.Log;
29 import org.eclipse.jetty.util.log.Logger;
30
31 public abstract class AbstractSessionIdManager extends AbstractLifeCycle implements SessionIdManager
32 {
33 private static final Logger LOG = Log.getLogger(AbstractSessionIdManager.class);
34
35 private final static String __NEW_SESSION_ID="org.eclipse.jetty.server.newSessionId";
36
37 protected Random _random;
38 protected boolean _weakRandom;
39 protected String _workerName;
40 protected long _reseed=100000L;
41
42
43 public AbstractSessionIdManager()
44 {
45 }
46
47
48 public AbstractSessionIdManager(Random random)
49 {
50 _random=random;
51 }
52
53
54
55
56
57
58 public long getReseed()
59 {
60 return _reseed;
61 }
62
63
64
65
66
67 public void setReseed(long reseed)
68 {
69 _reseed = reseed;
70 }
71
72
73
74
75
76
77
78
79 public String getWorkerName()
80 {
81 return _workerName;
82 }
83
84
85
86
87
88
89
90
91 public void setWorkerName(String workerName)
92 {
93 if (workerName.contains("."))
94 throw new IllegalArgumentException("Name cannot contain '.'");
95 _workerName=workerName;
96 }
97
98
99 public Random getRandom()
100 {
101 return _random;
102 }
103
104
105 public synchronized void setRandom(Random random)
106 {
107 _random=random;
108 _weakRandom=false;
109 }
110
111
112
113
114
115
116
117 public String newSessionId(HttpServletRequest request, long created)
118 {
119 synchronized (this)
120 {
121 if (request!=null)
122 {
123
124 String requested_id=request.getRequestedSessionId();
125 if (requested_id!=null)
126 {
127 String cluster_id=getClusterId(requested_id);
128 if (idInUse(cluster_id))
129 return cluster_id;
130 }
131
132
133 String new_id=(String)request.getAttribute(__NEW_SESSION_ID);
134 if (new_id!=null&&idInUse(new_id))
135 return new_id;
136 }
137
138
139 String id=null;
140 while (id==null||id.length()==0||idInUse(id))
141 {
142 long r0=_weakRandom
143 ?(hashCode()^Runtime.getRuntime().freeMemory()^_random.nextInt()^(((long)request.hashCode())<<32))
144 :_random.nextLong();
145 if (r0<0)
146 r0=-r0;
147
148
149 if (_reseed>0 && (r0%_reseed)== 1L)
150 {
151 LOG.debug("Reseeding {}",this);
152 if (_random instanceof SecureRandom)
153 {
154 SecureRandom secure = (SecureRandom)_random;
155 secure.setSeed(secure.generateSeed(8));
156 }
157 else
158 {
159 _random.setSeed(_random.nextLong()^System.currentTimeMillis()^request.hashCode()^Runtime.getRuntime().freeMemory());
160 }
161 }
162
163 long r1=_weakRandom
164 ?(hashCode()^Runtime.getRuntime().freeMemory()^_random.nextInt()^(((long)request.hashCode())<<32))
165 :_random.nextLong();
166 if (r1<0)
167 r1=-r1;
168 id=Long.toString(r0,36)+Long.toString(r1,36);
169
170
171
172 if (_workerName!=null)
173 id=_workerName + id;
174 }
175
176 request.setAttribute(__NEW_SESSION_ID,id);
177 return id;
178 }
179 }
180
181
182 @Override
183 protected void doStart() throws Exception
184 {
185 initRandom();
186 }
187
188
189 @Override
190 protected void doStop() throws Exception
191 {
192 }
193
194
195
196
197
198
199
200 public void initRandom ()
201 {
202 if (_random==null)
203 {
204 try
205 {
206 _random=new SecureRandom();
207 }
208 catch (Exception e)
209 {
210 LOG.warn("Could not generate SecureRandom for session-id randomness",e);
211 _random=new Random();
212 _weakRandom=true;
213 }
214 }
215 else
216 _random.setSeed(_random.nextLong()^System.currentTimeMillis()^hashCode()^Runtime.getRuntime().freeMemory());
217 }
218
219
220 }