Scott on Writing

Musings on technical writing...

How are Session IDs guaranteed to be unique?

The other day I was reading Jeff Prosise's article Foiling Session Hijacking Attempts and it got me to wondering how, exactly, session IDs are chosen and how they are guaranteed to be unique. The last thing you want to have happen is multiple, unique visitors hitting your site and being assigned, by chance, the exact same session ID, for such a case would cause these two unlucky visitors to “share” session state.

Session hijacking is an attack where the attacker attempts to guess a valid session ID or “steals“ a valid user's session cookie. Jeff says that guessing a valid session ID is a pretty hard attack to successfully pull off with ASP.NET since the session ID is “a highly-random 120-bit ID.” If you check out the formal docs for ASP.NET Session State - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconsessionstate.asp - it says:

"Each active ASP.NET session is identified and tracked using a 120-bit SessionID string containing only the ASCII characters that are allowed in URLs. SessionID values are generated using an algorithm that guarantees uniqueness so that sessions do not collide, and randomness so that a malicious user cannot use a new SessionID to calculate the SessionID of an existing session."

My question is - how are the selected session IDs guaranteed to be unique? In using Reflector & poking around the code for the session state (specifically System.Web.SessionState.SessionId and System.Web.SessionState.SessionStateModule), I fail to see how the algorithm guarantees uniqueness.

The only method that calls SessionId.Create is SessionStateModule.BeginAcquireState, which doesn't appear to do any validation to ensure the session ID is unique. Am I missing something obvious here?

From my understanding, the session ID is generated by a cryptographically strong algorithm, but I'm not too familiar with the properties of such algorithms. I imagine they provide a stronger pseudo-random technique than non-cryptographically strong algorithms... maybe one of the properties of such algorithms is that it takes a really long time before there's a random number picked that has been picked before.

And, yes, I realize that 2^120 is a huge number, a number that, if written out, would be comprised of 36 digits... but still, I am wondering how no conflict in session IDs is guaranteed.

So....... does anyone know how this guarantee is made? Am I missing finding something in Reflector or do I just need to have a better understanding of cryptographically strong pseudo-random number generators? Any info most appreciated.

posted on Wednesday, June 15, 2005 10:53 PM

Feedback

# re: How are Session IDs guaranteed to be unique? 6/16/2005 5:56 AM Hannes Pavelka

Cryptoggraphically strong with respect to pseudo random number generators means that after running the generator for n steps you cannot predict the next bit (b_i) after seeing bits (b1,b2,..,b_i-1) with a probability better than 0.5.

Assume you have 11000101 generated so far, the chance for you to guess the next bit correctly is 0.5.

If for any reason you detect a certain pattern and thus your probability to guess correct is greater than 0.5 the algorithm is not considered cryptoggraphically secure anymore.

The cryptoggraphical aspect prevents "clever guessing".

They are generated IDs are statistically unique, that means the chance of generating the same SessionID is 7.1e-37.

Even if you issue a billion Session ids tthe chance that two SessionIDs collide is 7.1-28.

A probability of 7.1-28 is so incredible low that it is more likely you win a multistate lottery and get struck my lightning the same day.

But its true SessionID are not mathematically unique. GUIDS & MAC adresses are not mathematically unique either.

# re: How are Session IDs guaranteed to be unique? 6/17/2005 11:42 AM Justin Lovell

"& MAC adresses are not mathematically unique either."

MAC addresses are garenteed to be unique because they are brought out by manufacturers. For example, they buy the 00-*** range. What they do internally, is up to them. However, the point is that the generation of the MAC address is not mathemactical - it is assigned slots of identification.

# re: How are Session IDs guaranteed to be unique? 6/18/2005 7:30 PM Kale

The strange thing is that ASP.NET doesn't seem to check whether a sent SessionID comes from the same IP-address + Port (like SSL does). When this is the case, it makes the security indeed weak, because a network sniffing hacker could fetch the SessionID and 'login' on your account.

But I can't believe that programming this check isn't that hard (and CPU consuming). Just compare the current IP-address and port number to the previous IP-address and port stored in the session object.

# re: How are Session IDs guaranteed to be unique? 6/18/2005 9:02 PM Scott Mitchell

Kale, the approach you describe is essentially the increased security measure that Jeff Proise adds in his article:
http://msdn.microsoft.com/msdnmag/issues/04/08/WickedCode/

# re: How are Session IDs guaranteed to be unique? 6/19/2005 3:18 PM Kale

I'm sorry, I wasn't paying attention. I should have read Jeff Prosise's article.

What Jeff says is that you can't use the whole ip address and the port number, because some proxy's may change this on every request (AOL). So, my proposed solution could lead to complications when users connect through proxy's (they run into SessionIncorrectException).

# re: How are Session IDs guaranteed to be unique? 7/11/2005 2:44 PM Xander Sherry

>"MAC addresses are garenteed to be unique because they are brought out by manufacturers."

MAC addresses are not guaranteed to be unique mathematically as the previous poster stated, however, and in fact are not guaranteed to be unique at all. First, you have defects. I've heard more than one story about devilishly hard to track down network issues being traced to bad batches of NICs that were assigned identical MAC addresses. Beyond that, you can buy (or build) NICs that have user-assignable MAC addresses, and there's nothing stopping you from giving the same address to two or more cards.

Title:

Name:

Url:

Enter the code you see:

Comments

Remember Me?

Add To Your Reader

My Links

Post Categories

May 2008

Comment Stats

Day	Total	% of Total
Sunday	186	6.8%
Monday	379	13.9%
Tuesday	453	16.7%
Wednesday	504	18.5%
Thursday	535	19.7%
Friday	494	18.2%
Saturday	166	6.1%
Total	2717	100.0%

Hour¹	Total	% of Total
12:00 AM	65	2.4%
1:00 AM	68	2.5%
2:00 AM	62	2.3%
3:00 AM	74	2.7%
4:00 AM	57	2.1%
5:00 AM	103	3.8%
6:00 AM	108	4.0%
7:00 AM	158	5.8%
8:00 AM	171	6.3%
9:00 AM	147	5.4%
10:00 AM	171	6.3%
11:00 AM	181	6.7%
12:00 PM	188	6.9%
1:00 PM	169	6.2%
2:00 PM	160	5.9%
3:00 PM	132	4.9%
4:00 PM	107	3.9%
5:00 PM	92	3.4%
6:00 PM	91	3.3%
7:00 PM	96	3.5%
8:00 PM	83	3.1%
9:00 PM	78	2.9%
10:00 PM	79	2.9%
11:00 PM	77	2.8%
Total	2717	100.0%

Comments by Blog Entry Date/Time

Day Entry Made	Avg.	Total
Sunday	5.54	144
Monday	5.22	339
Tuesday	4.28	419
Wednesday	7.67	637
Thursday	6.90	607
Friday	5.48	411
Saturday	5.33	160
Total	5.84	2717

Hour¹ Entry Made	Avg.	Total
12:00 AM	5.00	35
1:00 AM	1.00	2
5:00 AM	0.00	0
7:00 AM	7.00	35
8:00 AM	5.35	107
9:00 AM	6.32	278
10:00 AM	6.47	246
11:00 AM	4.41	181
12:00 PM	6.88	330
1:00 PM	3.00	111
2:00 PM	5.41	222
3:00 PM	8.64	285
4:00 PM	4.05	89
5:00 PM	5.92	154
6:00 PM	4.52	113
7:00 PM	9.67	174
8:00 PM	9.80	147
9:00 PM	5.05	111
10:00 PM	5.42	65
11:00 PM	4.57	32
Total	5.84	2717