Closed maxg closed 12 years ago
AppJet framework module stringutils.js
initializes a java.util.Random
with System.currentTimeMillis()
as the seed. Request handlers instantiated during the same millisecond will therefore generate identical session IDs when sessions.js
uses stringutils.randomHash(...)
.
Workaround is to preemptively generate and set session IDs using identical code but better random numbers; constructing a Random
with no specified seed accomplishes this.
Users occasionally spontaneously become logged in as a different user!
Entire session appears to be switched out. Unclear whether the switch occurs during comet communication, or during a new page request.
(Imported from Bitbucket #54 reported by maxg on 2011-09-30)