7

To put some context, i'm developing an API to track user actions on the site (anon users too). So far, we use jsessionId to identify each user and his actions.

That API, now runs on Tomcat and JBoss.

The really matter question is, since we analize all data one a day, is in any way the uniqueness of this jsessionId guaranteed all along the day? Or, not concurrently, can other user get the same jsessionId used previously by other one?

Thanks in advance.

Samuel García
  • 2,199
  • 14
  • 21
  • 1
    This is just a guess, but as the jSessionId basically is something like a UUID, in theory it could be possible that collisions happen but should be EXTREMELY unlikely. See http://en.wikipedia.org/wiki/Universally_unique_identifier#Random_UUID_probability_of_duplicates – helpermethod May 04 '11 at 22:53

1 Answers1

7

Sorry, it's not specified. It's only required to be unique for that jvm at that point in time. That is, session ids can be reused multiple times a day, as long as no one else has a session in place. I agree that most actual implementations might offer a stronger guarantee, but I don't think you can count on it.

Take a look at this mailing list - in it the people discuss session id reuse in both tomcat and resin.

So, basically the assumption the session ID is unique, is only true until the session gets destroyed.

MJB
  • 9,352
  • 6
  • 34
  • 49
  • Thanks for answer. We were wondering that possibility. So, there is any method to track guest users? – Samuel García May 05 '11 at 07:04
  • The specific cases discussed here mean that the **same user** gets assigned the same session ID for a new session. As far as I understood the question, this would not be a problem. The same session ID being reused for another user would not be impossible, but very unlikely (unless there's some malicious manipulation going on). – Joachim Sauer May 05 '11 at 07:05
  • 1
    Just to make sure I'm clear to inOde - yes you can track users. But you have to be careful and realize that as soon as the session is released (SessionListener is your friend), some one else might use that ID – MJB May 05 '11 at 09:06