Change the tomcat session id to include upper and lower case char

Question

I have a requirement that need to make sure the session id format generated by the Tomcat should include both upper, lower case char and 0-9. I check the source code of Tomcat. \org\apache\catalina\util\StandardSessionIdGenerator.java

In the method public String generateSessionId(String route)

There are few line to render the byte to String of hex digit as following:

byte b1 = (byte) ((random[j] & 0xf0) >> 4);
byte b2 = (byte) (random[j] & 0x0f);
if (b1 < 10)
    buffer.append((char) ('0' + b1));
else
    buffer.append((char) ('A' + (b1 - 10)));
if (b2 < 10)
    buffer.append((char) ('0' + b2));
else
    buffer.append((char) ('A' + (b2 - 10)));

Looks like that when changing the capital 'A' to 'a', then I can achieve my goal.(the goal is the generated session id would contain both A-Z,a-z and 0-9)

The generated session id after changed:

6B95cDf17411a9555D0E42d99C8E0292

Is this a simple and valid change or do you see any potential concern.

Thanks.

Answer 1

That sounds like a quite strange type of requirement - the important thing here is the length of the underlying session ID, not how it's encoded (there's a difference between a random ID like this and for example a password that a user selects). If the session ID:s generated by Tomcat aren't deemed secure enough the best option would probably be to simply raise the value of the sessionIdLength parameter.

With that said, if you really need to generate your own ID then a custom org.apache.catalina.SessionIdGenerator (possibly extending the StandardSessionIdGenerator) would be the way to go.