make web session key more versatile

fe/src/com/baidu/palo/http/HttpAuthManager.java

@@ -26,7 +26,7 @@ public class HttpAuthManager {
     private static long SESSION_EXPIRE_TIME = 2; // hour
     private static long SESSION_MAX_SIZE = 100; // avoid to store too many
 
-    private static HttpAuthManager instance = null;
+    private static HttpAuthManager instance = new HttpAuthManager();
 
     // session_id => username
     private Cache<String, String> authSessions =  CacheBuilder.newBuilder()
@@ -39,9 +39,6 @@ private HttpAuthManager() {
     }
 
     public static HttpAuthManager getInstance() {
-        if (instance == null) {
-            instance = new HttpAuthManager();
-        }
         return instance;
     }
 

fe/src/com/baidu/palo/http/action/WebBaseAction.java

@@ -15,13 +15,6 @@
 
 package com.baidu.palo.http.action;
 
-import java.net.InetSocketAddress;
-import java.util.Date;
-import java.util.List;
-
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
-
 import com.baidu.palo.common.AnalysisException;
 import com.baidu.palo.common.Config;
 import com.baidu.palo.common.DdlException;
@@ -33,13 +26,21 @@
 import com.baidu.palo.http.BaseResponse;
 import com.baidu.palo.http.HttpAuthManager;
 import com.baidu.palo.http.rest.RestBaseResult;
+
 import com.google.common.base.Strings;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
 import io.netty.handler.codec.http.DefaultCookie;
 import io.netty.handler.codec.http.HttpHeaders;
 import io.netty.handler.codec.http.HttpMethod;
 import io.netty.handler.codec.http.HttpResponseStatus;
 
+import java.net.InetSocketAddress;
+import java.util.List;
+import java.util.UUID;
+
 public class WebBaseAction extends BaseAction {
     private static final Logger LOG = LogManager.getLogger(WebBaseAction.class);
     private static final String ADMIN_USER = "root";
@@ -118,7 +119,6 @@ public void execute(BaseRequest request, BaseResponse response) {
         } else if (method.equals(HttpMethod.POST)) {
             executePost(request, response);
         } else {
-
             response.appendContent(new RestBaseResult("HTTP method is not allowed.").toJson());
             writeResponse(request, response, HttpResponseStatus.METHOD_NOT_ALLOWED);
         }
@@ -150,7 +150,7 @@ protected boolean checkAuth(BaseRequest request, BaseResponse response) {
                 return true;
             } catch (DdlException e) {
                 response.appendContent("Authentication Failed. <br/> "
-                        + "You can only access test  <a href=\"/help\">'/help'</a> page without login!");
+                        + "You can only access <a href=\"/help\">'/help'</a> page without login!");
                 writeAuthResponse(request, response);
                 return false;
             }
@@ -196,9 +196,7 @@ protected void addSession(BaseRequest request, BaseResponse response, String val
         // We use hashcode of client's IP and timestamp, which not only can identify users from
         // different host machine, but also can improve the difficulty of forging cookie.
         int clientAddrHashCode = ((InetSocketAddress) request.getContext().channel().remoteAddress()).hashCode();
-        String key = String.valueOf(clientAddrHashCode)
-                + "_"
-                + String.valueOf(new Date().getTime());
+        String key = UUID.randomUUID().toString();
         DefaultCookie cookie = new DefaultCookie(PALO_SESSION_ID, key);
         cookie.setMaxAge(PALO_SESSION_EXPIRED_TIME);
         response.addCookie(cookie);
@@ -333,4 +331,3 @@ public static NotFoundAction getNotFoundAction() {
         return NOT_FOUND_ACTION;
     }
 }
-