RE: IIS session cookies

>I don't know for sure, but I'm guessing that they're using
CryptGenRandom

Yeah, iis uses CryptGenRandom for this stuff..

Cheers, Michael
Secure Windows Initiative
Writing Secure Code
http://www.microsoft.com/mspress/books/5612.asp -----Original Message-----
From: Kevin Spett [mailto:kspett@spidynamics.com] Sent: Friday, December 06, 2002 7:19 AM
To: Cade Cairns
Cc: webappsec@securityfocus.com; secprog@securityfocus.com; Michael Howard

>From http://www.securiteam.com/windowsntfocus/6C00L003GA.html:

"LJALNFJCGLOICFEPIAPBFDEJ is a 32 character "munge" of the 32 bit session ID (see later for how session ID is created) Session ID is created from a random seed number that is generated when the system starts up). The random seed is incremented every time a new session starts. Note that the "munge" doesn't increment in the same way that the Session ID does.
Since the 8 char string after ASPSESSIONID is a "munge" of the process ID it will be (a) the same for all "In-process" applications (b) a different value is shared for all "Medium isolation (pooled)" applications and (c) unique for each Out-of-process application."

From
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnasp/h tml/
aspwsm.asp:

"The following steps are taken when generating ASP session cookies: * Session ID values are 32-bit long integers. * Each time the Web server is restarted, a random Session ID starting value is selected.
* For each ASP session that is created, this Session ID value is incremented.
* The 32-bit Session ID is mixed with random data and encrypted to generate a 16-character cookie string. Later, when a cookie is received, the Session ID can be restored from the 16-character cookie string (ASPSESSIONID).
* The encryption key used is randomly selected each time the Web server is restarted."

I don't know for sure, but I'm guessing that they're using CryptGenRandom for the PRNG, which uses mouse & keyboard events timing, system clock, system time, system counter, memory status, free disk clusters, etc. To my knowledge, it's sufficiently "random" to make them unpredictable in practical terms.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Hope that helps.

Kevin Spett
SPI Labs
http://www.spidynamics.com/

• Original Message ----- From: "Cade Cairns" <cairnsc@securityfocus.com> To: "Kevin Spett" <kspett@spidynamics.com> Cc: <webappsec@securityfocus.com> Sent: Friday, December 06, 2002 2:48 AM Subject: Re: IIS session cookies

> I'm curious whether the ASPSESSIONID value generated is predictable
> and if so, to what extent.
>
> Cade Cairns
> Symantec Corporation
>
> On Thu, 5 Dec 2002, Kevin Spett wrote:
>
> > What do you mean by "IIS session cookies"? Do you mean the
> > ASPSESSIONID feature? And what do you mean by formed? Are you
> > talking about the PRNG behind it, or how a developer can use them?
> >
> >
> > Kevin Spett
> > SPI Labs
> > http://www.spidynamics.com/
(that
> > > is, what data they consist of or how they are encoded, etc.) Is
anyone
> > > aware of any papers or resources on the subject?
Received on Sat Dec 7 20:07:15 2002