How is a sessionID generated?

http://docs.oracle.com/cd/E17802_01/products/products/servlet/2.3/javadoc/javax/servlet/http/HttpSession.html#getId()

"The identifier is assigned by the servlet container and is implementation dependent."

The jsessionid is generated whenever a new session is created.


A java.security.MessageDigest algorithm is normally used.

Usually the generated ID is just a set of random numbers, up until the required length, but it varies according to the algorithms used in the various servlet containers.

In Tomcat6, for example, have a look at:

ManagerBase.sessionIdLength

and

ManagerBase.createSession() //which calls generateSessionId()

See http://www.docjar.com/html/api/org/apache/catalina/session/ManagerBase.java.html


It is container specific. Tomcat: http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html#Manager