1) no, you can't specify the sessionID length. 2) The session-ID is agnostic as to SSL. If SSL is enabled, all traffic, including the sessionID will be encrypted. Otherwise, it will be in cleartext. -----Original Message----- From: securityarchitectat_private [mailto:securityarchitectat_private] Sent: Saturday, December 07, 2002 8:52 PM To: cairnscat_private; kspettat_private Cc: webappsecat_private; secprogat_private; mikehowat_private Subject: Re: IIS session cookies Not knowing much about Windows, ASP or .NET, does IIS allow you to Set sessionID length ? If so how ? How does it move users from a non-SSL session to a SSL session (ie does a new value get set) ? On Fri, 06 Dec 2002 07:18:35 -0800 Kevin Spett <kspettat_private> wrote: >From http://www.securiteam.com/windowsntfocus/6C00L003GA.html: > >"LJALNFJCGLOICFEPIAPBFDEJ is a 32 character "munge" of the 32 bit >session ID >(see later for how session ID is created) >Session ID is created from a random seed number that is generated >when the >system starts up). The random seed is incremented every time a new >session >starts. Note that the "munge" doesn't increment in the same way >that the >Session ID does. >Since the 8 char string after ASPSESSIONID is a "munge" of the process >ID it >will be (a) the same for all "In-process" applications (b) a different >value >is shared for all "Medium isolation (pooled)" applications and (c) >unique >for each Out-of-process application." > >From >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnasp/html / >aspwsm.asp: > >"The following steps are taken when generating ASP session cookies: >* Session ID values are 32-bit long integers. >* Each time the Web server is restarted, a random Session ID starting >value >is selected. >* For each ASP session that is created, this Session ID value is >incremented. >* The 32-bit Session ID is mixed with random data and encrypted >to generate >a 16-character cookie string. Later, when a cookie is received, >the Session >ID can be restored from the 16-character cookie string (ASPSESSIONID). >* The encryption key used is randomly selected each time the Web >server is >restarted." > >I don't know for sure, but I'm guessing that they're using CryptGenRandom >for the PRNG, which uses mouse & keyboard events timing, system >clock, >system time, system counter, memory status, free disk clusters, >etc. To my >knowledge, it's sufficiently "random" to make them unpredictable >in >practical terms. > >Hope that helps. > > > >Kevin Spett >SPI Labs >http://www.spidynamics.com/ > > >----- Original Message ----- >From: "Cade Cairns" <cairnscat_private> >To: "Kevin Spett" <kspettat_private> >Cc: <webappsecat_private> >Sent: Friday, December 06, 2002 2:48 AM >Subject: Re: IIS session cookies > > >> I'm curious whether the ASPSESSIONID value generated is predictable >and if >> so, to what extent. >> >> Cade Cairns >> Symantec Corporation >> >> On Thu, 5 Dec 2002, Kevin Spett wrote: >> >> > What do you mean by "IIS session cookies"? Do you mean the >ASPSESSIONID >> > feature? And what do you mean by formed? Are you talking about >the PRNG >> > behind it, or how a developer can use them? >> > >> > >> > Kevin Spett >> > SPI Labs >> > http://www.spidynamics.com/ >> > >> > ----- Original Message ----- >> > From: "Cade Cairns" <cairnscat_private> >> > To: <webappsecat_private> >> > Sent: Thursday, December 05, 2002 5:29 PM >> > Subject: IIS session cookies >> > >> > >> > > Hello webappsec, >> > > >> > > I'm looking for information on how IIS session cookies are >formed >(that >> > > is, what data they consist of or how they are encoded, etc.) > Is >anyone >> > > aware of any papers or resources on the subject? >> > > >> > > Thanks, >> > > >> > > Cade Cairns >> > > Symantec Corporation >> > > >> > > >> > >> >> > > > Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
This archive was generated by hypermail 2b30 : Sun Dec 08 2002 - 13:53:14 PST