Scott on Writing

Musings on technical writing...

How are Session IDs guaranteed to be unique?

The other day I was reading Jeff Prosise's article Foiling Session Hijacking Attempts and it got me to wondering how, exactly, session IDs are chosen and how they are guaranteed to be unique.  The last thing you want to have happen is multiple, unique visitors hitting your site and being assigned, by chance, the exact same session ID, for such a case would cause these two unlucky visitors to “share” session state.

Session hijacking is an attack where the attacker attempts to guess a valid session ID or “steals“ a valid user's session cookie.  Jeff says that guessing a valid session ID is a pretty hard attack to successfully pull off with ASP.NET since the session ID is “a highly-random 120-bit ID.”  If you check out the formal docs for ASP.NET Session State - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconsessionstate.asp - it says:

"Each active ASP.NET session is identified and tracked using a 120-bit SessionID string containing only the ASCII characters that are allowed in URLs. SessionID values are generated using an algorithm that guarantees uniqueness so that sessions do not collide, and randomness so that a malicious user cannot use a new SessionID to calculate the SessionID of an existing session."

My question is - how are the selected session IDs guaranteed to be unique?  In using Reflector & poking around the code for the session state (specifically System.Web.SessionState.SessionId and System.Web.SessionState.SessionStateModule), I fail to see how the algorithm guarantees uniqueness.

The only method that calls SessionId.Create is SessionStateModule.BeginAcquireState, which doesn't appear to do any validation to ensure the session ID is unique.  Am I missing something obvious here?

From my understanding, the session ID is generated by a cryptographically strong algorithm, but I'm not too familiar with the properties of such algorithms.  I imagine they provide a stronger pseudo-random technique than non-cryptographically strong algorithms... maybe one of the properties of such algorithms is that it takes a really long time before there's a random number picked that has been picked before.

And, yes, I realize that 2^120 is a huge number, a number that, if written out, would be comprised of 36 digits... but still, I am wondering how no conflict in session IDs is guaranteed.

So....... does anyone know how this guarantee is made?  Am I missing finding something in Reflector or do I just need to have a better understanding of cryptographically strong pseudo-random number generators?  Any info most appreciated.

posted on Wednesday, June 15, 2005 10:53 PM

Feedback

# re: How are Session IDs guaranteed to be unique? 6/16/2005 5:56 AM Hannes Pavelka

Cryptoggraphically strong with respect to pseudo random number generators means that after running the generator for n steps you cannot predict the next bit (b_i) after seeing bits (b1,b2,..,b_i-1) with a probability better than 0.5.

Assume you have 11000101 generated so far, the chance for you to guess the next bit correctly is 0.5.

If for any reason you detect a certain pattern and thus your probability to guess correct is greater than 0.5 the algorithm is not considered cryptoggraphically secure anymore.

The cryptoggraphical aspect prevents "clever guessing".

They are generated IDs are statistically unique, that means the chance of generating the same SessionID is 7.1e-37.

Even if you issue a billion Session ids tthe chance that two SessionIDs collide is 7.1-28.

A probability of 7.1-28 is so incredible low that it is more likely you win a multistate lottery and get struck my lightning the same day.

But its true SessionID are not mathematically unique. GUIDS & MAC adresses are not mathematically unique either.

# re: How are Session IDs guaranteed to be unique? 6/17/2005 11:42 AM Justin Lovell

"& MAC adresses are not mathematically unique either."

MAC addresses are garenteed to be unique because they are brought out by manufacturers. For example, they buy the 00-*** range. What they do internally, is up to them. However, the point is that the generation of the MAC address is not mathemactical - it is assigned slots of identification.

# re: How are Session IDs guaranteed to be unique? 6/18/2005 7:30 PM Kale

The strange thing is that ASP.NET doesn't seem to check whether a sent SessionID comes from the same IP-address + Port (like SSL does). When this is the case, it makes the security indeed weak, because a network sniffing hacker could fetch the SessionID and 'login' on your account.

But I can't believe that programming this check isn't that hard (and CPU consuming). Just compare the current IP-address and port number to the previous IP-address and port stored in the session object.

# re: How are Session IDs guaranteed to be unique? 6/18/2005 9:02 PM Scott Mitchell

Kale, the approach you describe is essentially the increased security measure that Jeff Proise adds in his article:
http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/

# re: How are Session IDs guaranteed to be unique? 6/19/2005 3:18 PM Kale

I'm sorry, I wasn't paying attention. I should have read Jeff Prosise's article.

What Jeff says is that you can't use the whole ip address and the port number, because some proxy's may change this on every request (AOL). So, my proposed solution could lead to complications when users connect through proxy's (they run into SessionIncorrectException).

# re: How are Session IDs guaranteed to be unique? 7/11/2005 2:44 PM Xander Sherry

>"MAC addresses are garenteed to be unique because they are brought out by manufacturers."

MAC addresses are not guaranteed to be unique mathematically as the previous poster stated, however, and in fact are not guaranteed to be unique at all. First, you have defects. I've heard more than one story about devilishly hard to track down network issues being traced to bad batches of NICs that were assigned identical MAC addresses. Beyond that, you can buy (or build) NICs that have user-assignable MAC addresses, and there's nothing stopping you from giving the same address to two or more cards.

Title:  
Name:  
Url:
Protected by Clearscreen.SharpHIPEnter the code you see:
Comments   

My Links

Ads Via DevMavens

Archives

Post Categories

 

I am a Microsoft MVP for ASP.NET.
I am an ASPInsider.
<March 2010>
SMTWTFS
28123456
78910111213
14151617181920
21222324252627
28293031123
45678910

Comment Stats

DayTotal% of Total
Sunday 2056.8%
Monday 42514.1%
Tuesday 51917.2%
Wednesday 55518.4%
Thursday 58019.2%
Friday 54718.1%
Saturday 1886.2%
Total 3019100.0%

Hour1Total% of Total
12:00 AM 782.6%
1:00 AM 812.7%
2:00 AM 682.3%
3:00 AM 822.7%
4:00 AM 692.3%
5:00 AM 1264.2%
6:00 AM 1183.9%
7:00 AM 1816.0%
8:00 AM 1926.4%
9:00 AM 1585.2%
10:00 AM 1886.2%
11:00 AM 1936.4%
12:00 PM 2016.7%
1:00 PM 1846.1%
2:00 PM 1695.6%
3:00 PM 1354.5%
4:00 PM 1153.8%
5:00 PM 1073.5%
6:00 PM 1013.3%
7:00 PM 1073.5%
8:00 PM 923.0%
9:00 PM 882.9%
10:00 PM 913.0%
11:00 PM 953.1%
Total 3019100.0%

Comments by Blog Entry Date/Time

Day Entry MadeAvg.Total
Sunday 4.97159
Monday 4.80384
Tuesday 4.04477
Wednesday 7.39680
Thursday 6.26676
Friday 5.07466
Saturday 4.78177
Total 5.403019

Hour1 Entry MadeAvg.Total
12:00 AM 5.2937
1:00 AM 1.002
5:00 AM 0.000
7:00 AM 3.8550
8:00 AM 3.72134
9:00 AM 6.06297
10:00 AM 5.63276
11:00 AM 4.22194
12:00 PM 6.16351
1:00 PM 3.09133
2:00 PM 4.89230
3:00 PM 7.64321
4:00 PM 4.00108
5:00 PM 6.07170
6:00 PM 4.64116
7:00 PM 8.95188
8:00 PM 8.63164
9:00 PM 5.00115
10:00 PM 6.31101
11:00 PM 4.5732
Total 5.403019

Learn More About Comment Stats
1 - All times GMT -8...


Blog Stats

Favorite Web Sites

My Books

My MSDN Articles