The session id generation uses 128 random bytes. The default source is java.security.SecureRandom ( see ManagerBase ). The chance of a collision should be insignifiant - just like beeing hit by a meteor ( as Eric put it ).
Aparently 2 people where "hit by meteors" when 2 identical session ids were generated. Even more interesting, they lived to tell the story - i.e. the event was reported by users. Obviously attempts to reproduce this failed - you can just sit and wait for a meteor.
In tomcat5 ( and 3.3 ) it is possible to use /dev/random or a pipe to an arbitrary generator - performance was the main motivation, but it should also improve the randomness. It is also quite easy to add a counter to increase the randomness.
The most likely explanation was sugested by Craig - maybe we're dealing with errors in the application code.
One dead end was checking for synchronization issues. Even with a perfect generator, if it is not MT safe you can have 2 threads calling it at exact same time -
and it can give you the exact same number ( if you catch it before updating the entropy ). Amazing - java.util.Random is _not_ synchronized. However we use
SecureRandom - which is synchronized - and we have about 4 sync blocks in ManagerBase.
Remy and few other people did the logical test of generating many sessions - no result so far.
BTW, in case you're not familiar with the code: tomcat uses a Random generator to generate the session ID. You can specify any class - the default is java.security.SecureRandom. In tomcat3.3 and tomcat5, we check for /dev/urandom and use it if available - it's faster and has a better entropy source.
After the random is generated, we apply a MD5 transformation. Most random generation alghoritms will generate the same sequence - so if you know a session ID, you can guess the next one. MD5 is a unidirectional transform - if you know the sessionID you can't find the original random number - and as a consequence you can't guess the next id.
On my favorite subject ( extension points ) - we have 3 hooks here ( the Manager itself, the Random, and the transoform alghoritm ).