How unique is HttpSession.getId()?

Question

Is the value returned by HttpSession.getId() guaranteed to be unique across time -- or only unique among all active sessions?

In other words, can I use it as a key for a session log entry (which user logged in when and for how long)?

If getId is implementation-specific (which I’m guessing it is, as the J2EE spec is silent about this issue), how is it treated on Google App Engine?

Answer 1

As far as i know, the session IDs are only unique as long as you did not restart the webserver. So the Session ID is unique across time during the lifecycle of your webserver.

In Apache Tomcat you can check out ManagerBase.generateSessionId() to learn how the ID is generated. But beware in Tomcat the generated IDs are only unique across the same context.

hope that helped

Answer 2

Yes, it is dependent on the implementation. As it is for any method in any interface :-). It is up to the programmer to make sure the id is unique.

If you use ManagerBase.createSession(java.lang.String) in combination with UUID you are 100% sure your id will be unique.

Answer 3

The question is about Google App Engine. GAE is based on Jetty not Tomcat sou you can't use ManagerBase.createSession(java.lang.String). The session is distributed and persisted in Datastore (or memcached). It is tracked by means of a cookie (called JSESSONID), which is managed by the servlet container. In Datastore there are entities of kind _ah_SESSION with id which is session id prefixed by "_ahs". Currently _ah_SESSION entities are not deleted automatically. So the answer is: currently session id on GAE is unique across time.