I'm using redisson to store tomcat sessions for distribute request between a couple of servers using a load balancer.
I was wondering if there is a chance of collision of session id between the servers? or how can assure that session ids are unique between servers?
A session id is a very important secret. If the session id follows any sort of pattern or could be predicted, the results would be catastrophic... as it tremendous harm to financial, insurance, and infrastructure systems. If one could predict a session Id, it would be trivial to "hack" the active session.
Fortunately the authors of Tomcat are well informed of those risks and the default session id generator code is quite robust. Under the hood, it uses strong cryptography to generate ids that have an extraordinarily low probably of collision... as in you would have to generate sessions for centuries before a collision.
Don't take my word for it though, you may inspect the code for the StandardSessionIdGenerator here:
https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/util/StandardSessionIdGenerator.java
https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/util/SessionIdGeneratorBase.java
Notice the usage of
SecureRandomand the quite large keyspace of the default session id. It would be quite difficult to predict the next value. You can be assured for nearly every use case each server will produce a unique value.