Re: IIS session cookies

From: securityarchitect@hush.com
Date: 12/08/02

  • Next message: Forrest Lee Andrews: "RE: IIS session cookies" 
    Date: Sat,  7 Dec 2002 18:51:48 -0800
To: cairnsc@securityfocus.com, kspett@spidynamics.com
From: securityarchitect@hush.com

    Not knowing much about Windows, ASP or .NET, does IIS allow you to

    Set sessionID length ? If so how ?

    How does it move users from a non-SSL session to a SSL session (ie does a new value get set) ?

    On Fri, 06 Dec 2002 07:18:35 -0800 Kevin Spett <kspett@spidynamics.com> wrote:
    >From http://www.securiteam.com/windowsntfocus/6C00L003GA.html:
    >
    >"LJALNFJCGLOICFEPIAPBFDEJ is a 32 character "munge" of the 32 bit
    >session ID
    >(see later for how session ID is created)
    >Session ID is created from a random seed number that is generated
    >when the
    >system starts up). The random seed is incremented every time a new
    >session
    >starts. Note that the "munge" doesn't increment in the same way
    >that the
    >Session ID does.
    >Since the 8 char string after ASPSESSIONID is a "munge" of the process
    >ID it
    >will be (a) the same for all "In-process" applications (b) a different
    >value
    >is shared for all "Medium isolation (pooled)" applications and (c)
    >unique
    >for each Out-of-process application."
    >
    >From
    >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnasp/html/
    >aspwsm.asp:
    >
    >"The following steps are taken when generating ASP session cookies:
    >* Session ID values are 32-bit long integers.
    >* Each time the Web server is restarted, a random Session ID starting
    >value
    >is selected.
    >* For each ASP session that is created, this Session ID value is
    >incremented.
    >* The 32-bit Session ID is mixed with random data and encrypted
    >to generate
    >a 16-character cookie string. Later, when a cookie is received,
    >the Session
    >ID can be restored from the 16-character cookie string (ASPSESSIONID).
    >* The encryption key used is randomly selected each time the Web
    >server is
    >restarted."
    >
    >I don't know for sure, but I'm guessing that they're using CryptGenRandom
    >for the PRNG, which uses mouse & keyboard events timing, system
    >clock,
    >system time, system counter, memory status, free disk clusters,
    >etc. To my
    >knowledge, it's sufficiently "random" to make them unpredictable
    >in
    >practical terms.
    >
    >Hope that helps.
    >
    >
    >
    >Kevin Spett
    >SPI Labs
    >http://www.spidynamics.com/
    >
    >
    >----- Original Message -----
    >From: "Cade Cairns" <cairnsc@securityfocus.com>
    >To: "Kevin Spett" <kspett@spidynamics.com>
    >Cc: <webappsec@securityfocus.com>
    >Sent: Friday, December 06, 2002 2:48 AM
    >Subject: Re: IIS session cookies
    >
    >
    >> I'm curious whether the ASPSESSIONID value generated is predictable
    >and if
    >> so, to what extent.
    >>
    >> Cade Cairns
    >> Symantec Corporation
    >>
    >> On Thu, 5 Dec 2002, Kevin Spett wrote:
    >>
    >> > What do you mean by "IIS session cookies"? Do you mean the
    >ASPSESSIONID
    >> > feature? And what do you mean by formed? Are you talking about
    >the PRNG
    >> > behind it, or how a developer can use them?
    >> >
    >> >
    >> > Kevin Spett
    >> > SPI Labs
    >> > http://www.spidynamics.com/
    >> >
    >> > ----- Original Message -----
    >> > From: "Cade Cairns" <cairnsc@securityfocus.com>
    >> > To: <webappsec@securityfocus.com>
    >> > Sent: Thursday, December 05, 2002 5:29 PM
    >> > Subject: IIS session cookies
    >> >
    >> >
    >> > > Hello webappsec,
    >> > >
    >> > > I'm looking for information on how IIS session cookies are
    >formed
    >(that
    >> > > is, what data they consist of or how they are encoded, etc.)
    > Is
    >anyone
    >> > > aware of any papers or resources on the subject?
    >> > >
    >> > > Thanks,
    >> > >
    >> > > Cade Cairns
    >> > > Symantec Corporation
    >> > >
    >> > >
    >> >
    >>
    >>
    >
    >
    >

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Big $$$ to be made with the HushMail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427sp;IIS session cookies

    Relevant Pages

    • RE: Comparing Date and Showing New or Old
      ... all the functions for Session and Cookie still ... Buildin Session object and the Request.Cookies collection. ... CDate in asp. ... some further resources on migrating from asp to asp.net: ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Sessions vs Cookies
      ... There is a session cookie which simply allows the server to identify the client and retrieve relevant session data for it. ... If cookies can be read or forged, it makes little odds whether you have the master key or all the little keys,. ... Suppose you only send the PHPSESSID: Now you cannot change a thing on the server, even if you have the 'master key'. ...
      (comp.lang.php)
    • Re: session wont timeout
      ... Maybe this is a session cookie issue? ... client browser there is this one: WSS_KeepSessionAuthenticated Expires: At ... If I kill the session cookie using IE Developer Toolbar, ... possible and IIS would throw another challenge. ...
      (microsoft.public.sharepoint.windowsservices)
    • Re: Is it safe to store user_id in Session?
      ... What I was wondering is how safe it is to store user_id or username or ... session so I do not need to search the database all the time. ... OVERRIDING BASIC SESSION COOKIE AUTHENTICATION ... So what is described in the article only works for bad php scripts. ...
      (comp.lang.php)
    • Chicken and egg issue with Cookie based login?
      ... I have few questions I hope someone can clear up for me with the cookie ... private web server. ... It also says this about the secret key: ... Second, would be an example of the "Session ID" or more general, what is an ...
      (comp.security.misc)