Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#3 Duplicate Session IDs

closed-fixed
nobody
None
5
2008-02-07
2007-12-12
Benjamin Reed
No

There is a flaw in session ID generation that causes to create same session ID for two different clients connected at
the same time.

[One more note: Ben told me that the session ID generation is random - there is a high chance on duplicate depending
how random seeds are initialized; also it is pseudo-random function specific).

Problem description:

We have an application that creates 1 ephemeral node of the following form:
'.../<host:port>/connected'
where <host:port> is specific to the node where the application runs and is retrieved using gethostbyname, and the
value of 'connected' is set to the current time (as returned by time function).

We have many applications, however lets consider application A and B that are connecting from 2 hosts: A from
rz502425:8080 and B from llf520108:8080.

Discussion

  • Benjamin Reed
    Benjamin Reed
    2007-12-12

    Logged In: YES
    user_id=154690
    Originator: YES

    It turns out I was wrong. The session ID isn't random it is simply a 64-bit numbers with the high order bits set to System.currentTimeMillis(). The patch "[ 1848999 ] Patch for session conflicsts on leader and followers" should address this problem, but just to add a bit more detail:

    Session creation is a very common operation. It doesn't need to go through consensus and it happens with every new client connect, so being able to let each server do it independently would be optimal. The key to independent session creation is partitioning the session ID space properly. I think Patch 1848999 does it correctly: the first 8-bits partition by server id; that prevents reuse between servers. The next 32-bits use currentTimeMillis(), that prevents different instances of the same server from reusing the same 40-bit prefix. The rest of the bits are just a counter.

     
  • Jacob Levy
    Jacob Levy
    2007-12-12

    Logged In: YES
    user_id=63723
    Originator: NO

    I agree that partitioning by ZK server ID and then further uniquifying with currentTimeMillis() is sufficient to yield a unique session ID.

     
  • Benjamin Reed
    Benjamin Reed
    2008-02-07

    • status: open --> closed-fixed
     
  • Benjamin Reed
    Benjamin Reed
    2008-02-07

    Logged In: YES
    user_id=154690
    Originator: YES

    Fixed with: [ 1848999 ] Patch for session conflicsts on leader and followers