UniqueID

Hi Peter,

I don't think session IDs are guaranteed to be unique, so you wouldn't want
to use that. There's also the danger of session hijacking.

Can you create your own GUID and store it in a Session variable or cookie
for each user?

Ken
"Peter Morris [Droopy eyes software]" <pe**@droopyeyes.no.com.spam> wrote in
message news:uD**************@TK2MSFTNGP02.phx.gbl...

Does anyone know how ASP .net creates session IDs? I heard ASP classic
used to use a GUID but those were too predictable and made it easy for
people to guess the next ID in the sequence, and that ASP .net uses a
newer technique instead.

I'd like to generate a unique session ID for a "ticket" but obviously I
don't want it to be predictable :-)

Pete

Hi Ken

I don't think session IDs are guaranteed to be unique, so you wouldn't
want to use that. There's also the danger of session hijacking.
That's exactly what I am trying to avoid.

Can you create your own GUID and store it in a Session variable or cookie
for each user?

At the moment my LogIn() method returns a Guid generated using
Guid.NewGuid(). According to a book I once read on ASP .net classic ASP
used to use this approach but apparently it is too easy to guess the next
Guid in the sequence, therefore people would log in to get their Guid and
then guess the Guid of other sessions before/after it in the sequence.

I also read that ASP .net gets around this by modifying the generated Guid
in some way (MD5 maybe?) to help prevent this from happening. I'm not
really at high risk of this kind of behaviour but still I'd like to know how
it is done so that I may implement it for future reference.
Thanks

Pete

You can implement your own session id methodology if you are worried about
such issues.

http://msdn2.microsoft.com/en-us/lib...idmanager.aspx

As for how the one out of the box works ...

ASP.NET does not by default use a GUID, basically it generates 16 bytes of
random data then encodes it. You can see this for yourself with reflector by
inspecting System.Web.SessionState.SessionId::Create

Cheers,

Greg Young
MVP - C#

"Peter Morris [Droopy eyes software]" <pe**@droopyeyes.no.com.spam> wrote in
message news:Ow**************@TK2MSFTNGP03.phx.gbl...

Hi Ken

I don't think session IDs are guaranteed to be unique, so you wouldn't
want to use that. There's also the danger of session hijacking.

That's exactly what I am trying to avoid.

Can you create your own GUID and store it in a Session variable or cookie
for each user?

At the moment my LogIn() method returns a Guid generated using
Guid.NewGuid(). According to a book I once read on ASP .net classic ASP
used to use this approach but apparently it is too easy to guess the next
Guid in the sequence, therefore people would log in to get their Guid and
then guess the Guid of other sessions before/after it in the sequence.

I also read that ASP .net gets around this by modifying the generated Guid
in some way (MD5 maybe?) to help prevent this from happening. I'm not
really at high risk of this kind of behaviour but still I'd like to know
how it is done so that I may implement it for future reference.
Thanks

Pete

A unique SessionID can be done in a lot of ways. Random numbers can
often be less "random" than you would like. I have used the
System.DateTime.Now.Ticks() with a lot of success. You can use it as a
seed for a Random number, and then hash that, or just do an MD5 hash on
the Ticks returned. Just make sure that the source is the same (ie:
the server(s)). Although the chances of your
System.DateTime.Now.Ticks() call returning the exact number is
virtually none since it is the specific millisecond count of that
particular DateTime instance. A combination of a GUID with something
as unique as the Tick is a fairly solid solution.

- John Fullmer