SessionID - How unique it is now ?

P

Patrice Scribe

I noticed that the SessionID is now a complex string instead of a simple
number as it was under ASP.

I believe it could be because when session variables are persisted ot the
database, reusing a number should be avoided to prevent picking variables
used by a previously abandonned session.

That said I've not been able to find out how unique is supposed to be this
new SessionID, it is some kind of encoded GUID with uniqueness guarantee or
is it only likely unique ????

TIA for any reference about this.

Patrice

--
 
P

Patrice Scribe

More specifically it is never reused during the application lifetime malking
each sessionid unique accross the whole application lifetime ?

UInder the hood is this a GUID ?

--

Alvin Bruney said:
It's guaranteed unique inside an application as well as outside of it.
Click to expand...
 
M

MSFT

Hi patrice,

Saving Session in database is only a optional way in ASP.NET, we also can
choose other session. Each active ASP.NET session is identified and tracked
using a 120-bit SessionID string containing only the ASCII characters that
are allowed in URLs. SessionID values are generated using an algorithm that
guarantees uniqueness so that sessions do not collide, and randomness so
that a malicious user cannot use a new SessionID to calculate the SessionID
of an existing session.

Hope this answer your question.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
P

Patrice Scribe

And is it safe to say that this SessionID is never resused during the
lifetime of an application ?

TIA

Patrice
 
M

MSFT

Hi Patrice,

Due the generation arithmetic of Session ID (128 bit), it is very very very
very hard to find same one. This is just like GUID.



Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How Unique is a GUID 5
sessionId is reused after calling session.abandon 4
Same sessionID retuned to diff browsers in diff machines 2
Is this safely unique? 7
Elise Mooney reports on Channel 9 about Maths Worldwide and the fraudthat it is 1
unique numbers using srand( ) and rand( ) functions in C++ 4
How far is this true? 2
How far is this true? 9

Members online

Total: 22 (members: 1, guests: 21)
Robots: 432

Forum statistics

Threads
473,767
Messages
2,569,572
Members
45,045
Latest member
DRCM

Latest Threads

Top