SessionID

**Hillbilly** · Sep 20 '08, 02:55 PM

Re: SessionID

Google said this...

Karthic's blog on IIS, ASP.NET & BizTalk

http://blogs.msdn.com/karthics/archive/2007/05/31/how-a-session-id-is-created-for-an-aspx-page.aspx

"Peter Morris" <mrpmorrisNO@SP AMgmail.comwrot e in message
news:OyQChSyGJH A.4408@TK2MSFTN GP04.phx.gbl...

Hi all
>
Can anyone tell me which class/method is used to generate the unique ID
whenever a new session is created? I'd like a unique string but don't
want to go for a GUID because I want it to be less predictable.
>
>
>
Thanks
>
Pete

**Peter Bromberg [C# MVP]** · Sep 21 '08, 01:55 AM

Re: SessionID

Why do you think that a GUID is predictable? GUIDs are designed to be so
unique that the chance there will ever be an identical one to that which was
just generated, in your and my lifetimes, is virtually impossible.
Peter
"Peter Morris" <mrpmorrisNO@SP AMgmail.comwrot e in message
news:OyQChSyGJH A.4408@TK2MSFTN GP04.phx.gbl...

Hi all
>
Can anyone tell me which class/method is used to generate the unique ID
whenever a new session is created? I'd like a unique string but don't
want to go for a GUID because I want it to be less predictable.
>
>
>
Thanks
>
Pete

**bruce barker** · Sep 21 '08, 03:55 AM

Re: SessionID

the routine is not exposed, but its pretty simple. generate a random
number, then encrypt it. decrypt before use (prevents hacking).

-- bruce (sqlwork.com)

Peter Morris wrote:

Hi all
>
Can anyone tell me which class/method is used to generate the unique ID
whenever a new session is created? I'd like a unique string but don't
want to go for a GUID because I want it to be less predictable.
>
>
>
Thanks
>
Pete

**Anthony Jones** · Sep 21 '08, 01:45 PM

Re: SessionID

"Peter Bromberg [C# MVP]" <pbromberg@dont doit.yahoo.comw rote in message
news:2C15874D-08A0-4AD4-8F95-D072AF5AF5D1@mi crosoft.com...

Why do you think that a GUID is predictable? GUIDs are designed to be so
unique that the chance there will ever be an identical one to that which
was just generated, in your and my lifetimes, is virtually impossible.

The propertry of a GUID being globally unique does not necessarily mean that
it has to be particularly random or unpredictable.

Various GUID specs use the current time, system tick counts and node
identifiers (such as a MAC address) as a basis for creating a GUID. Hence
having sight of a reasonable set of such GUIDs created by a single server
gives an attacker a very reasonable chance at predicting other GUIDs it may
have generated.

Unless you are aware of that the specific algorithm used to generate GUIDs
has a sufficiently random nature, it may not be the best choice if you are
generating key values that need to be unpredictable for security reasons.

The .NET Guid.NewGuid() method does appear to be generating a random Guids
but the docs do not make any statement regarding its randomness. Hence to
rely on it being random and unpredicatable would, strictly speaking, be a
mistake.

--
Anthony Jones - MVP ASP/ASP.NET

**Anthony Jones** · Sep 21 '08, 02:25 PM

Re: SessionID

"Peter Morris" <mrpmorrisNO@SP AMgmail.comwrot e in message
news:OyQChSyGJH A.4408@TK2MSFTN GP04.phx.gbl...

Hi all
>
Can anyone tell me which class/method is used to generate the unique ID
whenever a new session is created? I'd like a unique string but don't
want to go for a GUID because I want it to be less predictable.
>

To generate something sufficiently random for this purpose you need the
RNGCryptoServic eProvider.

The SessionID used in ASP.NET appears to be a Base32 encoding of a 15 byte
random number.

--
Anthony Jones - MVP ASP/ASP.NET

**Peter Morris** · Sep 22 '08, 07:25 AM

Re: SessionID

This was exactly what I was looking for, thanks!

Pete

SessionID

SessionID

Comment

Comment

Comment

Comment

Comment

Comment