1//
2//  ========================================================================
3//  Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd.
4//  ------------------------------------------------------------------------
5//  All rights reserved. This program and the accompanying materials
6//  are made available under the terms of the Eclipse Public License v1.0
7//  and Apache License v2.0 which accompanies this distribution.
8//
9//      The Eclipse Public License is available at
10//      http://www.eclipse.org/legal/epl-v10.html
11//
12//      The Apache License v2.0 is available at
13//      http://www.opensource.org/licenses/apache2.0.php
14//
15//  You may elect to redistribute this code under either of these licenses.
16//  ========================================================================
17//
18
19package org.eclipse.jetty.server.session;
20
21import java.security.SecureRandom;
22import java.util.Random;
23
24import javax.servlet.http.HttpServletRequest;
25
26import org.eclipse.jetty.server.SessionIdManager;
27import org.eclipse.jetty.util.component.AbstractLifeCycle;
28import org.eclipse.jetty.util.log.Log;
29import org.eclipse.jetty.util.log.Logger;
30
31public abstract class AbstractSessionIdManager extends AbstractLifeCycle implements SessionIdManager
32{
33    private static final Logger LOG = Log.getLogger(AbstractSessionIdManager.class);
34
35    private final static String __NEW_SESSION_ID="org.eclipse.jetty.server.newSessionId";
36
37    protected Random _random;
38    protected boolean _weakRandom;
39    protected String _workerName;
40    protected long _reseed=100000L;
41
42    /* ------------------------------------------------------------ */
43    public AbstractSessionIdManager()
44    {
45    }
46
47    /* ------------------------------------------------------------ */
48    public AbstractSessionIdManager(Random random)
49    {
50        _random=random;
51    }
52
53
54    /* ------------------------------------------------------------ */
55    /**
56     * @return the reseed probability
57     */
58    public long getReseed()
59    {
60        return _reseed;
61    }
62
63    /* ------------------------------------------------------------ */
64    /** Set the reseed probability.
65     * @param reseed  If non zero then when a random long modulo the reseed value == 1, the {@link SecureRandom} will be reseeded.
66     */
67    public void setReseed(long reseed)
68    {
69        _reseed = reseed;
70    }
71
72    /* ------------------------------------------------------------ */
73    /**
74     * Get the workname. If set, the workername is dot appended to the session
75     * ID and can be used to assist session affinity in a load balancer.
76     *
77     * @return String or null
78     */
79    public String getWorkerName()
80    {
81        return _workerName;
82    }
83
84    /* ------------------------------------------------------------ */
85    /**
86     * Set the workname. If set, the workername is dot appended to the session
87     * ID and can be used to assist session affinity in a load balancer.
88     *
89     * @param workerName
90     */
91    public void setWorkerName(String workerName)
92    {
93        if (workerName.contains("."))
94            throw new IllegalArgumentException("Name cannot contain '.'");
95        _workerName=workerName;
96    }
97
98    /* ------------------------------------------------------------ */
99    public Random getRandom()
100    {
101        return _random;
102    }
103
104    /* ------------------------------------------------------------ */
105    public synchronized void setRandom(Random random)
106    {
107        _random=random;
108        _weakRandom=false;
109    }
110
111    /* ------------------------------------------------------------ */
112    /**
113     * Create a new session id if necessary.
114     *
115     * @see org.eclipse.jetty.server.SessionIdManager#newSessionId(javax.servlet.http.HttpServletRequest, long)
116     */
117    public String newSessionId(HttpServletRequest request, long created)
118    {
119        synchronized (this)
120        {
121            if (request!=null)
122            {
123                // A requested session ID can only be used if it is in use already.
124                String requested_id=request.getRequestedSessionId();
125                if (requested_id!=null)
126                {
127                    String cluster_id=getClusterId(requested_id);
128                    if (idInUse(cluster_id))
129                        return cluster_id;
130                }
131
132                // Else reuse any new session ID already defined for this request.
133                String new_id=(String)request.getAttribute(__NEW_SESSION_ID);
134                if (new_id!=null&&idInUse(new_id))
135                    return new_id;
136            }
137
138            // pick a new unique ID!
139            String id=null;
140            while (id==null||id.length()==0||idInUse(id))
141            {
142                long r0=_weakRandom
143                ?(hashCode()^Runtime.getRuntime().freeMemory()^_random.nextInt()^(((long)request.hashCode())<<32))
144                :_random.nextLong();
145                if (r0<0)
146                    r0=-r0;
147
148		// random chance to reseed
149		if (_reseed>0 && (r0%_reseed)== 1L)
150		{
151		    LOG.debug("Reseeding {}",this);
152		    if (_random instanceof SecureRandom)
153		    {
154			SecureRandom secure = (SecureRandom)_random;
155			secure.setSeed(secure.generateSeed(8));
156		    }
157		    else
158		    {
159			_random.setSeed(_random.nextLong()^System.currentTimeMillis()^request.hashCode()^Runtime.getRuntime().freeMemory());
160		    }
161		}
162
163                long r1=_weakRandom
164                ?(hashCode()^Runtime.getRuntime().freeMemory()^_random.nextInt()^(((long)request.hashCode())<<32))
165                :_random.nextLong();
166                if (r1<0)
167                    r1=-r1;
168                id=Long.toString(r0,36)+Long.toString(r1,36);
169
170                //add in the id of the node to ensure unique id across cluster
171                //NOTE this is different to the node suffix which denotes which node the request was received on
172                if (_workerName!=null)
173                    id=_workerName + id;
174            }
175
176            request.setAttribute(__NEW_SESSION_ID,id);
177            return id;
178        }
179    }
180
181    /* ------------------------------------------------------------ */
182    @Override
183    protected void doStart() throws Exception
184    {
185       initRandom();
186    }
187
188    /* ------------------------------------------------------------ */
189    @Override
190    protected void doStop() throws Exception
191    {
192    }
193
194    /* ------------------------------------------------------------ */
195    /**
196     * Set up a random number generator for the sessionids.
197     *
198     * By preference, use a SecureRandom but allow to be injected.
199     */
200    public void initRandom ()
201    {
202        if (_random==null)
203        {
204            try
205            {
206                _random=new SecureRandom();
207            }
208            catch (Exception e)
209            {
210                LOG.warn("Could not generate SecureRandom for session-id randomness",e);
211                _random=new Random();
212                _weakRandom=true;
213            }
214        }
215        else
216            _random.setSeed(_random.nextLong()^System.currentTimeMillis()^hashCode()^Runtime.getRuntime().freeMemory());
217    }
218
219
220}
221