ASP.NET Session ID
Results 1 to 3 of 3

Thread: ASP.NET Session ID

  1. #1
    Member
    Join Date
    Nov 2004
    Posts
    32

    ASP.NET Session ID

    Is anyone aware of any research that has been done on the algorithm that generates this value?

    A number of .NET applications have crossed my path in recent months and I'm always dissapointed to see how random the numbers are in successive new connection requests.

  2. #2
    Banned
    Join Date
    Apr 2004
    Posts
    410
    as far as my knowledge goes on asp/net that is how it is done the numbers are made to generate in random,if the numbers are the same some one can easly copy them and log on to another account.

  3. #3
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Good Day,

    yourdeadin: if the numbers are the same some one can easly copy them and log on to another account.
    And… so the sessions do not collide and of course it makes it harder to guess the existing session’s ID.

    Is anyone aware of any research that has been done on the algorithm that generates this value?
    Yep I was just at a site about another ASP question and lo and behold:

    “The SessionIDModule class generates a session ID as a 120-bit random number and represents it as a string of 20 alphanumeric characters. The session ID can be stored in either a HTTP cookie or a mangled URL, based on the value of the cookieless attribute in the <sessionState> configuration section.”

    http://www.vsj.co.uk/articles/display.asp?id=286


    In C# it would look similar to:

    byte[] sessionkey = new byte[15];
    RNGCryptoServiceProvider rngkey =
    new RNGCryptoServiceProvider (); //Generates a random number
    rngkey.GetBytes (sessionkey);
    string clientsessionKey = SessionId.Encode (sessionkey);

    http://www.codeproject.com/aspnet/as...tstatmgmnt.asp


    I'm always dissapointed to see how random the numbers are in successive new connection requests.
    In ASP.NET 2.0 you can create session ID’s. This is accomplished by replacing the normally created SessionIDModule with one of your own. However do not forget the reason why the numbers are randomized in the first place.

    Hope that helps.

    Cheers
    Connection refused, try again later.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •