Tomcat Developers, I am a UCCS student and the project I have been working on is related to session ID generation.
I have checked the source code of Tomcat 6 (6.0.24) and I think I have found a mistake. org.apache.catalina.session.ManagerBase Line 567: long update = ((byte) entropy[i]) << ((i % 8) * 8); This solution is not perfect. The update will be a 32-bit integer this way, so only the 32 LSB of the seed will be modified by entropy through the XOR. The byte casting should be replaced by a long casting. like this: long update = ((long) entropy[i]) << ((i % 8) * 8); I hope you understand my point. Sincerely,Andras Rozsa
