XHTTP transport: Add `sessionIDTable` and `sessionIDLength`; Rename `session*` to `sessionID*` by Fangliding · Pull Request #6258 · XTLS/Xray-core

Fangliding · 2026-06-03T14:08:37Z

基本是 #6251 和 #6253 的修正版本
支持range设定自定义table 必须是 ASCII 字符
预定义table

"ALPHABET": "ABCDEFGHIJKLMNOPQRSTUVWXYZ",
"Alphabet": "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",
"BASE36":   "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ",
"Base62":   "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz",
"HEX":      "0123456789ABCDEF",
"alphabet": "abcdefghijklmnopqrstuvwxyz",
"base36":   "0123456789abcdefghijklmnopqrstuvwxyz",
"hex":      "0123456789abcdef",
"number":   "0123456789"

#5414 (comment) 中的 sessionPlacement -> sessionIDPlacement，sessionKey -> sessionIDKey，第三方实现无需兼容原名

配置示例

"xhttpSettings": {
    "sessionIDPlacement": "header", // path, query, cookie, header
    "sessionIDKey": "Token", // 上一项为 path 时该项不生效
    "SessionIDTable": "Base62",  // 无需与服务端保持一致
    "SessionIDLength": "16-32" // 起始值不可为 0，总的 id 空间必须大于 21 亿
},

Fangliding · 2026-06-03T14:09:15Z

还有修了一下语法检查飙警告

ghost · 2026-06-03T14:36:54Z

lets see

ghost · 2026-06-03T15:32:03Z

the issue with this entire thing is, if we're going to use query it still can be detected, param=string&param2=digits, i guess we're being forced to get back into header mode which is retarded in the first place, you should allow us also append params in query string, the same way you do with "headers"

Fangliding · 2026-06-03T17:17:08Z

跟这个patch无关其余部分不是我设计的

ghost · 2026-06-03T18:12:28Z

ik its not related to this pr, but awaiting a month until another detection gets in a way is one of our concerns, try adding more options in the next pr to cover that too, considering we've got extra: headers{ why not have extra: {queries:... append:{ prepend:{

byhexdev · 2026-06-04T13:56:00Z

WE ARE BEGGING APPROVE THIS PULL REQUEST🗣️🗣️🗣️🗣️🗣️🗣️

Katze-942 · 2026-06-04T14:37:37Z

I tested this, and it really does help bypass a CDN that started blocking requests based on UUID-like session IDs.

Looking forward to the merge.

…imes) XTLS#6258 — XHTTP Custom sessionID: - sessionIDTable: base62 / hex / HEX / 自定义 ASCII 表 - sessionIDLength: RangeConfig 控制长度 - GenerateSessionID() 替代 uuid.New().String() XTLS#4231 — Mux cool maxReuseTimes: - mux ClientStrategy 支持 MaxReuseTimes 替代固定 128 - 默认 60000，可通过 maxReuseTimes 配置下调 - outbound handler 传递配置到 mux 策略

saberkovich · 2026-06-04T16:20:07Z

NEED TO MERGE PLEASE IM DYING

itzice1337 · 2026-06-04T21:22:51Z

MERGE 😭

Antony1381 · 2026-06-05T00:35:48Z

Please merge this 🙏
CDNs are currently blocking xhttp due to the detectable UUID pattern. This fix is highly needed.

Empower-art · 2026-06-05T06:00:44Z

Please merge this 🙏

ilyasovalbert · 2026-06-05T15:21:00Z

Please merge this 🙏 We need this feature

saberkovich · 2026-06-05T22:05:34Z

merge or gay

kirillgureviry · 2026-06-06T00:08:24Z

⚡Учёные наконец-то описали редкий феномен: чем больше у человека вайтлист-серверов, тем заметнее тает его способность к связной мысли. Поначалу звучит как вброс с сомнительного паблика, но, глядя на комментарии выше, начинаешь верить в науку.

FuriousWarrior · 2026-06-06T10:57:44Z

Please merge this 🙏 We need this feature

euppi98 · 2026-06-06T14:48:02Z

⚡Учёные наконец-то описали редкий феномен: чем больше у человека вайтлист-серверов, тем заметнее тает его способность к связной мысли. Поначалу звучит как вброс с сомнительного паблика, но, глядя на комментарии выше, начинаешь верить в науку.

Честно говоря не понятно что вы имели в виду?

hxehex · 2026-06-06T15:34:50Z

Merge or you will get a free oreshnik missile ride

ElDrako32 · 2026-06-06T16:15:10Z

Поставил я xray с этими правками, прописал в config sessionIDTable и sessionIDLength, но в запросах по логам nginx всё равно Uuid содержит "-".
Как правильно настраивать теперь надо?

belotserkovtsev · 2026-06-06T17:29:41Z

the issue with this entire thing is, if we're going to use query it still can be detected, param=string&param2=digits, i guess we're being forced to get back into header mode which is retarded in the first place, you should allow us also append params in query string, the same way you do with "headers"

@ghost #6282 - it randomizes the request path per request from an operator-supplied list (pathPool), so with session/seq in cookies there's no fixed path or query pattern left to match. and query/header append could be the next step

belotserkovtsev · 2026-06-06T17:44:11Z

param=string&param2=digits shape only shows up if you keep session/seq in the query. you're not stuck with header mode though. cookie placement keeps both out of the URL completely, so there's no query pattern to match. #6282 then randomizes the request path per request from an operator list, so the fixed path isn't a tell either. With those two, query-param padding isn't really needed, and it tends to become its own signature anyway

ivanvolkovd · 2026-06-07T09:01:01Z

Поставил я xray с этими правками, прописал в config sessionIDTable и sessionIDLength, но в запросах по логам nginx всё равно Uuid содержит "-". Как правильно настраивать теперь надо?

"xhttpSettings": {
    "path": "api",
    "sessionIDTable": "alphabet",
    "sessionIDLength": 20,
    ...
}

Вижу, отправляются запросы вида:
https://example.com/api/viphfxwvtsyphuzhxfcj/0
https://example.com/api/mhsocbksgochkvpihumh/0
https://example.com/api/zhjzueizffmqebvdfnbx/0

ElDrako32 · 2026-06-07T10:04:38Z

Вижу, отправляются запросы вида:
https://example.com/api/viphfxwvtsyphuzhxfcj/0
https://example.com/api/mhsocbksgochkvpihumh/0
https://example.com/api/zhjzueizffmqebvdfnbx/0

Тогда подскажите, пожалуйста, что я делаю не так?
Переключился на brach xhttp-sessionid

Xray-core> git status
On branch xhttp-sessionid
Your branch is up to date with 'origin/xhttp-sessionid'.

nothing to commit, working tree clean

Собрал, заменил xray на сервере и клиенте под виндовс.
В конфиге сервера:

        "streamSettings": {
            "network": "xhttp",
            "security": "none",
            "sockopt": {
                "mark": 128, "tcpFastOpen": false, "dialerProxy": "fragment",
                "trustedXForwardedFor": ["X-Code"]
            },
            "xhttpSettings": {
                    "path": "/api/",
                    "mode": "packet-up",

                    "xPaddingObfsMode": true,
                    "xPaddingMethod": "tokenish",
                    "xPaddingPlacement": "query",
                    "xPaddingHeader": "api_v1",
                    "xPaddingKey": "xss",
                    "seqKey": "id",
                    "seqPlacement": "query",
                    "xPaddingBytes": "100-1000",
                    "sessionKey": "auth",
                    "sessionPlacement": "path",
                    "uplinkChunkSize": 280,
                    "uplinkDataKey": "X-Ver",
                    "uplinkDataPlacement": "header",
                    "uplinkHTTPMethod": "GET",
                    "scStreamUpServerSecs": "20-80",
                    "noSSEHeader": true,
                    "sessionIDTable": "alphabet",
                    "sessionIDLength": "20"
            }
      }

На клиенте:

 "outbounds": [
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "domain",
                        "port": 443,
                        "users": [
                            {
                                "encryption": "none",
                                "flow": "xtls-rprx-vision",
                                "id": "_id_"
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "xhttp",
                "security": "tls",
                "tlsSettings": {
                    "alpn": [
                        "h2",
                        "http/1.1"
                    ],
                    "fingerprint": "randomized",
                    "serverName": "domain"
                },
                "xhttpSettings": {
                    "extra": {
                        "noSSEHeader": false,
                        "seqKey": "id",
                        "seqPlacement": "query",
                        "sessionKey": "auth",
                        "sessionPlacement": "path",
                        "uplinkChunkSize": 280,
                        "uplinkDataKey": "X-Ver",
                        "uplinkDataPlacement": "header",
                        "uplinkHTTPMethod": "GET",
                        "xPaddingBytes": "100-1000",
                        "xPaddingHeader": "api_v1",
                        "xPaddingKey": "xss",
                        "xPaddingMethod": "tokenish",
                        "xPaddingObfsMode": true,
                        "xPaddingPlacement": "query",
                        "xmux": {
                            "cMaxReuseTimes": "0",
                            "hKeepAlivePeriod": 0,
                            "hMaxRequestTimes": "300-600",
                            "hMaxReusableSecs": "900-1800",
                            "maxConnections": "8"
                        }
                    },
                    "headers": {
                        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36",
                        "X-Code": "daadf769eqadf"
                    },
                    "host": "domain",
                    "mode": "packet-up",
                    "path": "/api/",
                    "sessionIDLength": 20,
                    "sessionIDTable": "alphabet"
                }
            },
            "tag": "proxy"
        },

В логах nginx:
[07/Jun/2026:12:53:48 +0300] "GET /api/b1a9d139-0353-4435-984c-4fc8d0f03aca?xss=GWfdx9WRH5cUrX43vlTNelNsdXnk90YN77TOGd06zBO56WHqTeuCN59KtufCCijQDfC182pxgx1Vs

Fangliding · 2026-06-08T20:12:38Z

首字母大写是我在偏后写 alphabet 的时候没想好lower+upper的该怎么命名才弄出来的为了区分全大写/全小写/大小写三种模式 base62无歧义我想这不多敲一遍shift或者capslock

RPRX · 2026-06-08T20:17:51Z

配置也就写一遍不用反复敲，改成风格一致的比较直观吧，顺便这个 map 的顺序改成按前两个字母的 ascii 编号来排序

ghost · 2026-06-08T21:51:13Z

so what exactly stops you from being Normal and using proper alphabet implementation instead of confusing with "Alphabet"? alphabet what? Chinese alphabet? Cyrillic? English? do what people did in https://github.com/XTLS/Xray-core/pull/6253/changes#diff-4167e9b7ffb52959c4a31f7d8c6925c87ff20ce13b482b33142842769d11119dR56

what are you reinventing the wheel for?

euppi98 · 2026-06-09T05:11:10Z

Guys, just do it already.
Chicos, simplemente háganlo ya.
伙计们，赶紧做吧。
दोस्तों, बस अब इसे कर डालो।
يا شباب، فقط افعلوها وخلاص.
Les gars, faites-le et puis c'est tout.
বন্ধুরা, শুধু এটা করে ফেলো।
Galera, só façam isso logo.
دوستو، بس اب اسے کر ڈالو۔
Teman-teman, lakukan saja sudah.
Leute, macht es doch einfach.
みんな、もうさっさとやっちゃって。
다들, 그냥 좀 해버려.
Arkadaşlar, sadece yapın şunu artık.
Ragazzi, fatelo e basta.

RPRX · 2026-06-09T08:04:22Z

@Fangliding 按照 #5414 (comment) 的命名风格应该是 sessionTable 和 sessionLength，另外 PR 正文写个 example

RPRX · 2026-06-09T08:08:19Z

~~这里用 math/rand/v2 没问题，虽然我确实想都改成 crypto/rand，不过会多个 syscall #6228 (comment) ，以后再决定吧~~

RPRX · 2026-06-09T08:24:45Z

再次重申 #6253 (comment)

~~另外既然这次一些用户要改配置文件才能继续过 CDN，干脆把 #6159 实装了算了，@Meo597 你写那 warning 有点刷屏~~

Fangliding · 2026-06-09T09:34:56Z

但是session表和session长度看起来很奇怪啊

RPRX · 2026-06-09T09:47:57Z

要不就把另外两个也改名了，直接 breaking 吧，反正俄罗斯这情况原配置也用不了，infra 配置项改成放一起，看起来不乱

~~Mihomo 和小火箭等第三方实现加这些的时候也直接 breaking 了吧，无需兼容原名~~

ElDrako32 · 2026-06-09T10:11:03Z

要不就把另外两个也改名了，直接 breaking 吧，反正俄罗斯这情况原配置也用不了，infra 配置项改成放一起，看起来不乱

"sessionIDTable": "alphabet"
This is currently working in Russia, but starting this month, TSPUs (DPIs) will also recognize fingerprint images from uTLS. However, they do not simply compare the prints; instead, they respond to a large number of handshakes within a short period of time.
But without “alphabet,” it doesn't work at all via the CDN, so we're really looking forward to the release.

RPRX · 2026-06-09T16:02:46Z

@Fangliding PR 正文加个 example，对新的四个参数进行说明，~~毕竟官网文档没得改~~

RPRX · 2026-06-09T16:19:53Z

@Fangliding ~~你这咋还带有中文引号的，且少了逗号，改一下~~，把另外两个参数的说明也加上

Fangliding · 2026-06-09T16:23:33Z

新参数只有两个啊

RPRX · 2026-06-09T16:29:47Z

~~另外两个既然改名了也一并说明一下吧，链接一下 #5414 (comment)~~

Fangliding · 2026-06-09T16:32:26Z

那几个挂在那个什么obfsmode下面要开得一起开那就是三个无关字段和两个新增字段。。

RPRX · 2026-06-09T16:34:36Z

~~啊这样的吗，那个命名不是 XPaddingObfsMode 吗，还影响非 XPadding 开头的？~~

Fangliding · 2026-06-09T16:47:13Z

哦好像是只xpadding 我把那个pr记成都用obfsmode当入口了

Meo597 · 2026-06-09T16:50:30Z

~~另外既然这次一些用户要改配置文件才能继续过 CDN，干脆把 #6159 实装了算了，@Meo597 你写那 warning 有点刷屏~~

主打一个恐吓警告到位
现在还没 stable 直接实装吗，好多人没收到警告呢还

…imes) - sessionIDTable: base62 / hex / HEX / 自定义 ASCII 表 - sessionIDLength: RangeConfig 控制长度 - GenerateSessionID() 替代 uuid.New().String() - mux ClientStrategy 支持 MaxReuseTimes 替代固定 128 - 默认 60000，可通过 maxReuseTimes 配置下调 - outbound handler 传递配置到 mux 策略

- PR XTLS#6261 (ECH H2C fix): TLS ECH h2c:// 查询正确处理 - PR XTLS#6254 (brutal): TCP 暴力加速器 - PR XTLS#6258 (Custom sessionID): XHTTP sessionIDTable/sessionIDLength - PR XTLS#4231 (mux maxReuseTimes): Mux 连接复用次数上限 - PR XTLS#6058 (freedom compatibility): Freedom 出站兼容性改进 - XUDP: 改进 UDP over XUDP 传输效率 - 新增 xray.go 配置框架

RPRX · 2026-06-09T19:49:50Z

@Fangliding 你那个 example 里 sessionIDPlacement 写的 header 然而 sessionIDKey 写的 token，小写 t 有点误导了，改一下

顺便需要明说改了 #5414 (comment) 参数名，列一下 sessionIDPlacement 的四个可选值，以及 sessionIDKey 不对 path 生效

Fangliding · 2026-06-09T19:51:36Z

http header大小写不敏感啊

RPRX · 2026-06-09T19:54:00Z

~~啊这样的吗，我咋记得只是处理时不敏感，实际发送是首字母以及 - 后首字母大写的？还是说只有 h1 是这样？~~

Fangliding · 2026-06-09T19:55:31Z

配置怎么写都随便到go里统一映射到 Aaaaaa-Bbbbb-Cccccc 这种格式

RPRX · 2026-06-09T19:57:00Z

~~所以说大写 T 更直观，算了我直接改一下吧~~

RPRX · 2026-06-09T20:17:41Z

~~另外既然这次一些用户要改配置文件才能继续过 CDN，干脆把 #6159 实装了算了，@Meo597 你写那 warning 有点刷屏~~

主打一个恐吓警告到位现在还没 stable 直接实装吗，好多人没收到警告呢还

@Meo597 开个 PR 直接实装，并且把 warning 改成类似于“现已默认不信任 X-Forwarded-For，请配置 XXX”吧，一行就行

实际上随便配置个值就能消掉这个 warning，注意要写 XHTTP 而不是 split，~~另外 v2fly 那边有个 gRPC 的 PR 可以顺便搞过来~~

Fangliding force-pushed the xhttp-sessionid branch from 2d68d34 to 4f7a474 Compare June 3, 2026 14:17

Custom sessionID

2f121bd

Fangliding force-pushed the xhttp-sessionid branch from 4f7a474 to 2f121bd Compare June 3, 2026 14:42

nil safe

0e6ab63

Katze-942 mentioned this pull request Jun 4, 2026

[XHTTP] Session ID format (UUID with dashes) is detectable by CDN/DPI systems #6264

Closed

More table

87c08d0

belotserkovtsev mentioned this pull request Jun 6, 2026

transport/internet/splithttp: per-request path randomization (pathPool) #6282

Closed

Reorganize predefined character sets in config.go

3f4a400

Rename

bbcf2c4

RPRX changed the title ~~Custom sessionID~~ XHTTP transport: Add sessionIDTable and sessionIDLength; Rename session* to sessionID* Jun 9, 2026

RPRX merged commit e10347b into main Jun 9, 2026
48 checks passed

Conversation

Fangliding commented Jun 3, 2026 • edited by RPRX Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Fangliding commented Jun 3, 2026

Uh oh!

ghost commented Jun 3, 2026

Uh oh!

ghost commented Jun 3, 2026

Uh oh!

Fangliding commented Jun 3, 2026

Uh oh!

ghost commented Jun 3, 2026

Uh oh!

byhexdev commented Jun 4, 2026

Uh oh!

Katze-942 commented Jun 4, 2026

Uh oh!

saberkovich commented Jun 4, 2026

Uh oh!

itzice1337 commented Jun 4, 2026

Uh oh!

Antony1381 commented Jun 5, 2026

Uh oh!

Empower-art commented Jun 5, 2026

Uh oh!

ilyasovalbert commented Jun 5, 2026

Uh oh!

saberkovich commented Jun 5, 2026

Uh oh!

kirillgureviry commented Jun 6, 2026

Uh oh!

FuriousWarrior commented Jun 6, 2026

Uh oh!

euppi98 commented Jun 6, 2026

Uh oh!

hxehex commented Jun 6, 2026

Uh oh!

ElDrako32 commented Jun 6, 2026

Uh oh!

belotserkovtsev commented Jun 6, 2026

Uh oh!

belotserkovtsev commented Jun 6, 2026

Uh oh!

ivanvolkovd commented Jun 7, 2026

Uh oh!

ElDrako32 commented Jun 7, 2026

Uh oh!

Fangliding commented Jun 8, 2026

Uh oh!

RPRX commented Jun 8, 2026

Uh oh!

ghost commented Jun 8, 2026

Uh oh!

euppi98 commented Jun 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

RPRX commented Jun 9, 2026

Uh oh!

RPRX commented Jun 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

RPRX commented Jun 9, 2026

Uh oh!

Fangliding commented Jun 9, 2026

Uh oh!

RPRX commented Jun 9, 2026

Uh oh!

ElDrako32 commented Jun 9, 2026

Uh oh!

Uh oh!

RPRX commented Jun 9, 2026

Uh oh!

RPRX commented Jun 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Fangliding commented Jun 9, 2026

Uh oh!

RPRX commented Jun 9, 2026

Uh oh!

Fangliding commented Jun 3, 2026 •

edited by RPRX

Loading

euppi98 commented Jun 9, 2026 •

edited

Loading

RPRX commented Jun 9, 2026 •

edited

Loading

RPRX commented Jun 9, 2026 •

edited

Loading

Fangliding commented Jun 9, 2026 •

edited

Loading

RPRX commented Jun 9, 2026 •

edited

Loading