Ideas on creating a unique session id?

We have sort of a centralized single-signon written in ASP.NET for all of
our legacy ASP and ASP.NET apps.. There are around 1200 users and something
like 2 dozen apps. Everyonce in a while, a user gets the error that their
session is a duplicate in the database.. I talked to the database guys about
putting in a job that cleans up old sessions, but I also want to have this
work a little cleaner on the front-end.

I need to generate a truly session id, here is my code right now (where
UniqueIdentifier is the users login):


using System.Security.Cryptography;

public string GenerateSessionID(string UniqueIdentifier)
{
TimeSpan objTS =
System.Diagnostics.Process.GetCurrentProcess().Tot alProcessorTime;
int t = DateTime.Now.Second + DateTime.Now.Millisecond + objTS.Seconds +
objTS.Milliseconds;
long lngRandom = new System.Random(t).Next();
string strData = UniqueIdentifier + lngRandom.ToString();
string strTmp = "";
System.Text.UnicodeEncoding encoding = new System.Text.UnicodeEncoding();
byte[] hashBytes = encoding.GetBytes(strData);
SHA1 sha1 = new SHA1CryptoServiceProvider();
byte[] cryptPassword = sha1.ComputeHash(hashBytes);
for ( int x=0 ; x < cryptPassword.Length ; x++ )
{
strTmp = strTmp + String.Format("{0,2:X2}", cryptPassword[x]);
}
return strTmp;
}

But as you might imagine, using time values like this helps, but doesn't
solve this. Even going out to the year or month:

05 + 15 = 20 (month + day for May 15th)
04 + 16 = 20 (month + day for April 16th)

Same with seconds, etc.. I need a truly random number or seed for the random
number generator. In other words, UserLogin + date and time + processor
time... is still not truly unique, because these numbers can overlap.

Anyhow already have a bullet-proof way to handle this?

This process is very random, well - like 99%.. but I would just like to have
this be 100%. Any ideas?

re: Ideas on creating a unique session id?

Why not simply use a database field with an auto-incrementing number. This
will give you a unique number. The main problem with this is that the
numbers are sequential (thus, being rather easy to guess other session id's
from your own session id). One method to get around this is to have another
field in the same database which contains the "public session id". This
field is set to "Unique", so the database will force that no two session
id's are identical. Then, the end-user must supply boh values to gain
access. You can use your string below as this second value.

DanB


"RCS" <rseder@gmail.com> wrote in message
news:Mb99e.1352$L03.106@newssvr17.news.prodigy.com ...[color=blue]
> We have sort of a centralized single-signon written in ASP.NET for all of
> our legacy ASP and ASP.NET apps.. There are around 1200 users and
> something like 2 dozen apps. Everyonce in a while, a user gets the error
> that their session is a duplicate in the database.. I talked to the
> database guys about putting in a job that cleans up old sessions, but I
> also want to have this work a little cleaner on the front-end.
>
> I need to generate a truly session id, here is my code right now (where
> UniqueIdentifier is the users login):
>
>
> using System.Security.Cryptography;
>
> public string GenerateSessionID(string UniqueIdentifier)
> {
> TimeSpan objTS =
> System.Diagnostics.Process.GetCurrentProcess().Tot alProcessorTime;
> int t = DateTime.Now.Second + DateTime.Now.Millisecond + objTS.Seconds +
> objTS.Milliseconds;
> long lngRandom = new System.Random(t).Next();
> string strData = UniqueIdentifier + lngRandom.ToString();
> string strTmp = "";
> System.Text.UnicodeEncoding encoding = new System.Text.UnicodeEncoding();
> byte[] hashBytes = encoding.GetBytes(strData);
> SHA1 sha1 = new SHA1CryptoServiceProvider();
> byte[] cryptPassword = sha1.ComputeHash(hashBytes);
> for ( int x=0 ; x < cryptPassword.Length ; x++ )
> {
> strTmp = strTmp + String.Format("{0,2:X2}", cryptPassword[x]);
> }
> return strTmp;
> }
>
> But as you might imagine, using time values like this helps, but doesn't
> solve this. Even going out to the year or month:
>
> 05 + 15 = 20 (month + day for May 15th)
> 04 + 16 = 20 (month + day for April 16th)
>
> Same with seconds, etc.. I need a truly random number or seed for the
> random number generator. In other words, UserLogin + date and time +
> processor time... is still not truly unique, because these numbers can
> overlap.
>
> Anyhow already have a bullet-proof way to handle this?
>
> This process is very random, well - like 99%.. but I would just like to
> have this be 100%. Any ideas?
>
>[/color]

re: Ideas on creating a unique session id?

In message <Mb99e.1352$L03.106@newssvr17.news.prodigy.com>, RCS
<rseder@gmail.com> writes[color=blue]
>We have sort of a centralized single-signon written in ASP.NET for all of
>our legacy ASP and ASP.NET apps.. There are around 1200 users and something
>like 2 dozen apps. Everyonce in a while, a user gets the error that their
>session is a duplicate in the database.. I talked to the database guys about
>putting in a job that cleans up old sessions, but I also want to have this
>work a little cleaner on the front-end.
>
>I need to generate a truly session id, here is my code right now (where
>UniqueIdentifier is the users login):[/color]

System.Guid.NewGuid()?

--
Steve Walker

re: Ideas on creating a unique session id?

This might help:
http://groups-beta.google.com/groups...+oj+Uuidcreate

or:

http://groups-beta.google.com/groups...j+GenerateComb

--
-oj


"RCS" <rseder@gmail.com> wrote in message
news:Mb99e.1352$L03.106@newssvr17.news.prodigy.com ...[color=blue]
> We have sort of a centralized single-signon written in ASP.NET for all of
> our legacy ASP and ASP.NET apps.. There are around 1200 users and
> something like 2 dozen apps. Everyonce in a while, a user gets the error
> that their session is a duplicate in the database.. I talked to the
> database guys about putting in a job that cleans up old sessions, but I
> also want to have this work a little cleaner on the front-end.
>
> I need to generate a truly session id, here is my code right now (where
> UniqueIdentifier is the users login):
>
>
> using System.Security.Cryptography;
>
> public string GenerateSessionID(string UniqueIdentifier)
> {
> TimeSpan objTS =
> System.Diagnostics.Process.GetCurrentProcess().Tot alProcessorTime;
> int t = DateTime.Now.Second + DateTime.Now.Millisecond + objTS.Seconds +
> objTS.Milliseconds;
> long lngRandom = new System.Random(t).Next();
> string strData = UniqueIdentifier + lngRandom.ToString();
> string strTmp = "";
> System.Text.UnicodeEncoding encoding = new System.Text.UnicodeEncoding();
> byte[] hashBytes = encoding.GetBytes(strData);
> SHA1 sha1 = new SHA1CryptoServiceProvider();
> byte[] cryptPassword = sha1.ComputeHash(hashBytes);
> for ( int x=0 ; x < cryptPassword.Length ; x++ )
> {
> strTmp = strTmp + String.Format("{0,2:X2}", cryptPassword[x]);
> }
> return strTmp;
> }
>
> But as you might imagine, using time values like this helps, but doesn't
> solve this. Even going out to the year or month:
>
> 05 + 15 = 20 (month + day for May 15th)
> 04 + 16 = 20 (month + day for April 16th)
>
> Same with seconds, etc.. I need a truly random number or seed for the
> random number generator. In other words, UserLogin + date and time +
> processor time... is still not truly unique, because these numbers can
> overlap.
>
> Anyhow already have a bullet-proof way to handle this?
>
> This process is very random, well - like 99%.. but I would just like to
> have this be 100%. Any ideas?
>
>[/color]

re: Ideas on creating a unique session id?

Guid.NewGuid(); ?

Regards

Richard Blewett - DevelopMentor
http://www.dotnetconsult.co.uk/weblog
http://www.dotnetconsult.co.uk

This might help:
http://groups-beta.google.com/groups...+oj+Uuidcreate

or:

http://groups-beta.google.com/groups...j+GenerateComb

--
-oj


"RCS" <rseder@gmail.com> wrote in message
news:Mb99e.1352$L03.106@newssvr17.news.prodigy.com ...[color=blue]
> We have sort of a centralized single-signon written in ASP.NET for all of
> our legacy ASP and ASP.NET apps.. There are around 1200 users and
> something like 2 dozen apps. Everyonce in a while, a user gets the error
> that their session is a duplicate in the database.. I talked to the
> database guys about putting in a job that cleans up old sessions, but I
> also want to have this work a little cleaner on the front-end.
>
> I need to generate a truly session id, here is my code right now (where
> UniqueIdentifier is the users login):
>
>
> using System.Security.Cryptography;
>
> public string GenerateSessionID(string UniqueIdentifier)
> {
> TimeSpan objTS =
> System.Diagnostics.Process.GetCurrentProcess().Tot alProcessorTime;
> int t = DateTime.Now.Second + DateTime.Now.Millisecond + objTS.Seconds +
> objTS.Milliseconds;
> long lngRandom = new System.Random(t).Next();
> string strData = UniqueIdentifier + lngRandom.ToString();
> string strTmp = "";
> System.Text.UnicodeEncoding encoding = new System.Text.UnicodeEncoding();
> byte[] hashBytes = encoding.GetBytes(strData);
> SHA1 sha1 = new SHA1CryptoServiceProvider();
> byte[] cryptPassword = sha1.ComputeHash(hashBytes);
> for ( int x=0 ; x < cryptPassword.Length ; x++ )
> {
> strTmp = strTmp + String.Format("{0,2:X2}", cryptPassword[x]);
> }
> return strTmp;
> }
>
> But as you might imagine, using time values like this helps, but doesn't
> solve this. Even going out to the year or month:
>
> 05 + 15 = 20 (month + day for May 15th)
> 04 + 16 = 20 (month + day for April 16th)
>
> Same with seconds, etc.. I need a truly random number or seed for the
> random number generator. In other words, UserLogin + date and time +
> processor time... is still not truly unique, because these numbers can
> overlap.
>
> Anyhow already have a bullet-proof way to handle this?
>
> This process is very random, well - like 99%.. but I would just like to
> have this be 100%. Any ideas?
>
>[/color]



[microsoft.public.dotnet.languages.csharp]