Scott on Writing

Musings on technical writing...

How are Session IDs guaranteed to be unique?

The other day I was reading Jeff Prosise's article Foiling Session Hijacking Attempts and it got me to wondering how, exactly, session IDs are chosen and how they are guaranteed to be unique.  The last thing you want to have happen is multiple, unique visitors hitting your site and being assigned, by chance, the exact same session ID, for such a case would cause these two unlucky visitors to “share” session state.

Session hijacking is an attack where the attacker attempts to guess a valid session ID or “steals“ a valid user's session cookie.  Jeff says that guessing a valid session ID is a pretty hard attack to successfully pull off with ASP.NET since the session ID is “a highly-random 120-bit ID.”  If you check out the formal docs for ASP.NET Session State - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconsessionstate.asp - it says:

"Each active ASP.NET session is identified and tracked using a 120-bit SessionID string containing only the ASCII characters that are allowed in URLs. SessionID values are generated using an algorithm that guarantees uniqueness so that sessions do not collide, and randomness so that a malicious user cannot use a new SessionID to calculate the SessionID of an existing session."

My question is - how are the selected session IDs guaranteed to be unique?  In using Reflector & poking around the code for the session state (specifically System.Web.SessionState.SessionId and System.Web.SessionState.SessionStateModule), I fail to see how the algorithm guarantees uniqueness.

The only method that calls SessionId.Create is SessionStateModule.BeginAcquireState, which doesn't appear to do any validation to ensure the session ID is unique.  Am I missing something obvious here?

From my understanding, the session ID is generated by a cryptographically strong algorithm, but I'm not too familiar with the properties of such algorithms.  I imagine they provide a stronger pseudo-random technique than non-cryptographically strong algorithms... maybe one of the properties of such algorithms is that it takes a really long time before there's a random number picked that has been picked before.

And, yes, I realize that 2^120 is a huge number, a number that, if written out, would be comprised of 36 digits... but still, I am wondering how no conflict in session IDs is guaranteed.

So....... does anyone know how this guarantee is made?  Am I missing finding something in Reflector or do I just need to have a better understanding of cryptographically strong pseudo-random number generators?  Any info most appreciated.

posted on Wednesday, June 15, 2005 10:53 PM

Feedback

# re: How are Session IDs guaranteed to be unique? 6/16/2005 5:56 AM Hannes Pavelka

Cryptoggraphically strong with respect to pseudo random number generators means that after running the generator for n steps you cannot predict the next bit (b_i) after seeing bits (b1,b2,..,b_i-1) with a probability better than 0.5.

Assume you have 11000101 generated so far, the chance for you to guess the next bit correctly is 0.5.

If for any reason you detect a certain pattern and thus your probability to guess correct is greater than 0.5 the algorithm is not considered cryptoggraphically secure anymore.

The cryptoggraphical aspect prevents "clever guessing".

They are generated IDs are statistically unique, that means the chance of generating the same SessionID is 7.1e-37.

Even if you issue a billion Session ids tthe chance that two SessionIDs collide is 7.1-28.

A probability of 7.1-28 is so incredible low that it is more likely you win a multistate lottery and get struck my lightning the same day.

But its true SessionID are not mathematically unique. GUIDS & MAC adresses are not mathematically unique either.

# re: How are Session IDs guaranteed to be unique? 6/17/2005 11:42 AM Justin Lovell

"& MAC adresses are not mathematically unique either."

MAC addresses are garenteed to be unique because they are brought out by manufacturers. For example, they buy the 00-*** range. What they do internally, is up to them. However, the point is that the generation of the MAC address is not mathemactical - it is assigned slots of identification.

# re: How are Session IDs guaranteed to be unique? 6/18/2005 7:30 PM Kale

The strange thing is that ASP.NET doesn't seem to check whether a sent SessionID comes from the same IP-address + Port (like SSL does). When this is the case, it makes the security indeed weak, because a network sniffing hacker could fetch the SessionID and 'login' on your account.

But I can't believe that programming this check isn't that hard (and CPU consuming). Just compare the current IP-address and port number to the previous IP-address and port stored in the session object.

# re: How are Session IDs guaranteed to be unique? 6/18/2005 9:02 PM Scott Mitchell

Kale, the approach you describe is essentially the increased security measure that Jeff Proise adds in his article:
http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/

# re: How are Session IDs guaranteed to be unique? 6/19/2005 3:18 PM Kale

I'm sorry, I wasn't paying attention. I should have read Jeff Prosise's article.

What Jeff says is that you can't use the whole ip address and the port number, because some proxy's may change this on every request (AOL). So, my proposed solution could lead to complications when users connect through proxy's (they run into SessionIncorrectException).

# re: How are Session IDs guaranteed to be unique? 7/11/2005 2:44 PM Xander Sherry

>"MAC addresses are garenteed to be unique because they are brought out by manufacturers."

MAC addresses are not guaranteed to be unique mathematically as the previous poster stated, however, and in fact are not guaranteed to be unique at all. First, you have defects. I've heard more than one story about devilishly hard to track down network issues being traced to bad batches of NICs that were assigned identical MAC addresses. Beyond that, you can buy (or build) NICs that have user-assignable MAC addresses, and there's nothing stopping you from giving the same address to two or more cards.

Title:  
Name:  
Url:
Protected by Clearscreen.SharpHIPEnter the code you see:
Comments   

My Links

Ads Via DevMavens

Archives

Post Categories

 

I am a Microsoft MVP for ASP.NET.
I am an ASPInsider.
<July 2009>
SMTWTFS
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678

Comment Stats

DayTotal% of Total
Sunday 2046.9%
Monday 42314.3%
Tuesday 50116.9%
Wednesday 54518.4%
Thursday 57219.3%
Friday 53618.1%
Saturday 1856.2%
Total 2966100.0%

Hour1Total% of Total
12:00 AM 752.5%
1:00 AM 802.7%
2:00 AM 672.3%
3:00 AM 812.7%
4:00 AM 642.2%
5:00 AM 1234.1%
6:00 AM 1153.9%
7:00 AM 1755.9%
8:00 AM 1876.3%
9:00 AM 1565.3%
10:00 AM 1866.3%
11:00 AM 1926.5%
12:00 PM 1996.7%
1:00 PM 1846.2%
2:00 PM 1675.6%
3:00 PM 1344.5%
4:00 PM 1153.9%
5:00 PM 1063.6%
6:00 PM 993.3%
7:00 PM 1063.6%
8:00 PM 903.0%
9:00 PM 842.8%
10:00 PM 893.0%
11:00 PM 923.1%
Total 2966100.0%

Comments by Blog Entry Date/Time

Day Entry MadeAvg.Total
Sunday 4.91157
Monday 4.92379
Tuesday 4.21471
Wednesday 7.42668
Thursday 6.53666
Friday 5.17450
Saturday 4.73175
Total 5.522966

Hour1 Entry MadeAvg.Total
12:00 AM 5.2937
1:00 AM 1.002
5:00 AM 0.000
7:00 AM 4.0048
8:00 AM 4.29133
9:00 AM 6.04290
10:00 AM 5.83274
11:00 AM 4.36192
12:00 PM 6.44348
1:00 PM 3.14132
2:00 PM 5.04227
3:00 PM 7.97303
4:00 PM 3.8199
5:00 PM 6.00168
6:00 PM 4.56114
7:00 PM 8.95188
8:00 PM 8.58163
9:00 PM 5.00115
10:00 PM 6.31101
11:00 PM 4.5732
Total 5.522966

Learn More About Comment Stats
1 - All times GMT -8...


Blog Stats

Favorite Web Sites

My Books

My MSDN Articles