JBoss EAP 6 - How to change java sessionid length

Question

Security testing team has mandated us to increase sessionid length to 50 chars.

https://www.owasp.org/index.php/Insufficient_Session-ID_Length

How do I change it in jboss application server EAP 6.

Answer 1

I found the answer to this question in another forum. Actually JBoss doesn't provide any way out to override sesionid length. org.jboss.web.tomcat.service.session.SessionIDGenerator class doesn't provide any public method to modify sessionid length. And there is no known way to provide custom SessionIDGenerator to jboss.

Now here is the way out, you can increase the length of sessionid by adding system property "jvmRoute" in jboss configuration. This adds additional value for sessionid.

For Jboss EAP 6 standalone environment, edit jboss-eap-6.2/standalone/configuration/standalone.xml to add following system property:

    <system-properties>
       <property name="jvmRoute" value="qU2O2h8yQ1cxI9XsPK0aHlr3p"/>
    </system-properties>

Answer 2

A system property was added in JBoss EAP 6.4.8 for adjusting the length of the session id. The new system property is called org.apache.catalina.session.ManagerBase.SESSION_ID_LENGTH .

The behavior that sets the session id length based on the new system property is non-intuitive so you will have to use a formula to determine what you set org.apache.catalina.session.ManagerBase.SESSION_ID_LENGTH to:

((Desired-Session-ID-Length / 4) * 3) - 2

For example, if you want a session ID length of 40:

((40 / 4) * 3) -2 = 28

You would set org.apache.catalina.session.ManagerBase.SESSION_ID_LENGTH=28 .

Note: This solution works for JBoss EAP 6.4.8 and later version

You can learn more here: https://access.redhat.com/solutions/454893