jsessionid validator regex in esapi.properties not applicable to ids generated by tomcat

Description

From Alex.x86@gmail.com on September 03, 2012 15:13:59

From http://tomcat.apache.org/tomcat-6.0-doc/config/manager.html :

The length of session ids created by this Manager, measured in bytes, excluding subsequent conversion to a hexadecimal string and excluding any JVM route information used for load balancing. The default is 16.

The validator regex in Validator.HTTPJSESSIONID should be changed from

^[A-Z0-9]{10,30}$

to

^[A-Z0-9]{10,32}$

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=286

Environment

None

Status

Assignee

Unassigned

Reporter

Max Gelman

Priority

Configure