Hosting Provided By

Re: IIS session cookies

From: Takayuki Nakamura <naka(at)gtisec.net>
Date: Thu Dec 05 2002 - 23:43:41 EST

hello.

The following is quoted from microsoft website. # I couldn't find any information on ASP SessionID other than this. # This document was written on April 2, 1997 :(

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnasp/html/aspwsm.asp

The following steps are taken when generating ASP session cookies:

Session ID values are 32-bit long integers.
Each time the Web server is restarted, a random Session ID starting value is selected.
For each ASP session that is created, this Session ID value is incremented.
The 32-bit Session ID is mixed with random data and encrypted to generate a 16-character cookie string. Later, when a
cookie is received, the Session ID can be restored from the 16-character cookie string (ASPSESSIONID).
The encryption key used is randomly selected each time the Web server is restarted.
naka <naka@gtisec.net>

Cade Cairns wrote:
>Hello webappsec,
Received on Sat Dec 7 20:21:55 2002

This message: [ Message body ]
Next message: securityarchitect(at)hush.com: "Re: IIS session cookies"
Previous message: Kevin Spett: "Re: IIS session cookies"
In reply to Cade Cairns: "IIS session cookies"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:45 EDT