RE: IIS session cookies

["Forrest Lee Andrews" <lee.andrews () cox net>]

1) no, you can't specify the sessionID length.
2) The session-ID is agnostic as to SSL.  If SSL is enabled, all traffic,
including the sessionID will be encrypted.  Otherwise, it will be in
cleartext.





-----Original Message-----
From: securityarchitect () hush com [mailto:securityarchitect () hush com]
Sent: Saturday, December 07, 2002 8:52 PM
To: cairnsc () securityfocus com; kspett () spidynamics com
Cc: webappsec () securityfocus com; secprog () securityfocus com;
mikehow () microsoft com
Subject: Re: IIS session cookies



Not knowing much about Windows, ASP or .NET, does IIS allow you to

Set sessionID length ? If so how ?

How does it move users from a non-SSL session to a SSL session (ie does a
new value get set) ?

On Fri, 06 Dec 2002 07:18:35 -0800 Kevin Spett <kspett () spidynamics com>
wrote:
> From http://www.securiteam.com/windowsntfocus/6C00L003GA.html:
>
> "LJALNFJCGLOICFEPIAPBFDEJ is a 32 character "munge" of the 32 bit
> session ID
> (see later for how session ID is created)
> Session ID is created from a random seed number that is generated
> when the
> system starts up). The random seed is incremented every time a new
> session
> starts. Note that the "munge" doesn't increment in the same way
> that the
> Session ID does.
> Since the 8 char string after ASPSESSIONID is a "munge" of the process
> ID it
> will be (a) the same for all "In-process" applications (b) a different
> value
> is shared for all "Medium isolation (pooled)" applications and (c)
> unique
> for each Out-of-process application."
>
> From
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnasp/html
/
> aspwsm.asp:
>
> "The following steps are taken when generating ASP session cookies:
> * Session ID values are 32-bit long integers.
> * Each time the Web server is restarted, a random Session ID starting
> value
> is selected.
> * For each ASP session that is created, this Session ID value is
> incremented.
> * The 32-bit Session ID is mixed with random data and encrypted
> to generate
> a 16-character cookie string. Later, when a cookie is received,
> the Session
> ID can be restored from the 16-character cookie string (ASPSESSIONID).
> * The encryption key used is randomly selected each time the Web
> server is
> restarted."
>
> I don't know for sure, but I'm guessing that they're using CryptGenRandom
> for the PRNG, which uses mouse & keyboard events timing, system
> clock,
> system time, system counter, memory status, free disk clusters,
> etc.  To my
> knowledge, it's sufficiently "random" to make them unpredictable
> in
> practical terms.
>
> Hope that helps.
>
>
>
> Kevin Spett
> SPI Labs
> http://www.spidynamics.com/
>
>
> ----- Original Message -----
> From: "Cade Cairns" <cairnsc () securityfocus com>
> To: "Kevin Spett" <kspett () spidynamics com>
> Cc: <webappsec () securityfocus com>
> Sent: Friday, December 06, 2002 2:48 AM
> Subject: Re: IIS session cookies
>
>
> > I'm curious whether the ASPSESSIONID value generated is predictable
> and if
> > so, to what extent.
> >
> > Cade Cairns
> > Symantec Corporation
> >
> > On Thu, 5 Dec 2002, Kevin Spett wrote:
> >
> > > What do you mean by "IIS session cookies"?  Do you mean the
> ASPSESSIONID
> > > feature? And what do you mean by formed?  Are you talking about
> the PRNG
> > > behind it, or how a developer can use them?
> > >
> > >
> > > Kevin Spett
> > > SPI Labs
> > > http://www.spidynamics.com/
> > >
> > > ----- Original Message -----
> > > From: "Cade Cairns" <cairnsc () securityfocus com>
> > > To: <webappsec () securityfocus com>
> > > Sent: Thursday, December 05, 2002 5:29 PM
> > > Subject: IIS session cookies
> > >
> > >
> > > > Hello webappsec,
> > > >
> > > > I'm looking for information on how IIS session cookies are
> formed
> (that
> > > > is, what data they consist of or how they are encoded, etc.)
> Is
> anyone
> > > > aware of any papers or resources on the subject?
> > > >
> > > > Thanks,
> > > >
> > > > Cade Cairns
> > > > Symantec Corporation



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427