SessionID - How unique it is now ?

  • Thread starter Thread starter Patrice Scribe
  • Start date Start date
P

Patrice Scribe

I noticed that the SessionID is now a complex string instead of a simple
number as it was under ASP.

I believe it could be because when session variables are persisted ot the
database, reusing a number should be avoided to prevent picking variables
used by a previously abandonned session.

That said I've not been able to find out how unique is supposed to be this
new SessionID, it is some kind of encoded GUID with uniqueness guarantee or
is it only likely unique ????

TIA for any reference about this.

Patrice

--
 
More specifically it is never reused during the application lifetime malking
each sessionid unique accross the whole application lifetime ?

UInder the hood is this a GUID ?

--

Alvin Bruney said:
It's guaranteed unique inside an application as well as outside of it.
Click to expand...
 
Hi patrice,

Saving Session in database is only a optional way in ASP.NET, we also can
choose other session. Each active ASP.NET session is identified and tracked
using a 120-bit SessionID string containing only the ASCII characters that
are allowed in URLs. SessionID values are generated using an algorithm that
guarantees uniqueness so that sessions do not collide, and randomness so
that a malicious user cannot use a new SessionID to calculate the SessionID
of an existing session.

Hope this answer your question.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
And is it safe to say that this SessionID is never resused during the
lifetime of an application ?

TIA

Patrice
 
Hi Patrice,

Due the generation arithmetic of Session ID (128 bit), it is very very very
very hard to find same one. This is just like GUID.



Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
Back
Top