maxg
commented
12 years ago AppJet framework module stringutils.js initializes a java.util.Random with System.currentTimeMillis() as the seed. Request handlers instantiated during the same millisecond will therefore generate identical session IDs when sessions.js uses stringutils.randomHash(...).
Workaround is to preemptively generate and set session IDs using identical code but better random numbers; constructing a Random with no specified seed accomplishes this.
Users occasionally spontaneously become logged in as a different user!
Entire session appears to be switched out. Unclear whether the switch occurs during comet communication, or during a new page request.
(Imported from Bitbucket #54 reported by maxg on 2011-09-30)