SessionID

P

Peter Morris

Hi all

Can anyone tell me which class/method is used to generate the unique ID
whenever a new session is created? I'd like a unique string but don't want
to go for a GUID because I want it to be less predictable.



Thanks

Pete
 
P

Peter Bromberg [C# MVP]

Why do you think that a GUID is predictable? GUIDs are designed to be so
unique that the chance there will ever be an identical one to that which was
just generated, in your and my lifetimes, is virtually impossible.
Peter
 
B

bruce barker

the routine is not exposed, but its pretty simple. generate a random
number, then encrypt it. decrypt before use (prevents hacking).

-- bruce (sqlwork.com)
 
A

Anthony Jones

Peter Bromberg said:
Why do you think that a GUID is predictable? GUIDs are designed to be so
unique that the chance there will ever be an identical one to that which
was just generated, in your and my lifetimes, is virtually impossible.
Click to expand...

The propertry of a GUID being globally unique does not necessarily mean that
it has to be particularly random or unpredictable.

Various GUID specs use the current time, system tick counts and node
identifiers (such as a MAC address) as a basis for creating a GUID. Hence
having sight of a reasonable set of such GUIDs created by a single server
gives an attacker a very reasonable chance at predicting other GUIDs it may
have generated.

Unless you are aware of that the specific algorithm used to generate GUIDs
has a sufficiently random nature, it may not be the best choice if you are
generating key values that need to be unpredictable for security reasons.

The .NET Guid.NewGuid() method does appear to be generating a random Guids
but the docs do not make any statement regarding its randomness. Hence to
rely on it being random and unpredicatable would, strictly speaking, be a
mistake.
 
A

Anthony Jones

Peter Morris said:
Hi all

Can anyone tell me which class/method is used to generate the unique ID
whenever a new session is created? I'd like a unique string but don't
want to go for a GUID because I want it to be less predictable.
Click to expand...

To generate something sufficiently random for this purpose you need the
RNGCryptoServiceProvider.

The SessionID used in ASP.NET appears to be a Base32 encoding of a 15 byte
random number.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Session ID 5
Can I create / assign sessionID? 2
ASP.Net [2.0] - SessionID 7
SessionID - How unique it is now ? 6
SessionID 4
how to get Session by SessionID? 1
SessionID via URL 1
Validate SessionID 3

Members online

No members online now.
Total: 24 (members: 0, guests: 24)
Robots: 113

Forum statistics

Threads
473,772
Messages
2,569,593
Members
45,105
Latest member
sheetaldubay7750ync

Latest Threads

Top