Re: IIS session cookies

From: securityarchitect@hush.com
Date: 12/08/02

  • Next message: Forrest Lee Andrews: "RE: IIS session cookies"
    Date: Sat,  7 Dec 2002 18:51:48 -0800
    To: cairnsc@securityfocus.com, kspett@spidynamics.com
    From: securityarchitect@hush.com
    

    Not knowing much about Windows, ASP or .NET, does IIS allow you to

    Set sessionID length ? If so how ?

    How does it move users from a non-SSL session to a SSL session (ie does a new value get set) ?

    On Fri, 06 Dec 2002 07:18:35 -0800 Kevin Spett <kspett@spidynamics.com> wrote:
    >From http://www.securiteam.com/windowsntfocus/6C00L003GA.html:
    >
    >"LJALNFJCGLOICFEPIAPBFDEJ is a 32 character "munge" of the 32 bit
    >session ID
    >(see later for how session ID is created)
    >Session ID is created from a random seed number that is generated
    >when the
    >system starts up). The random seed is incremented every time a new
    >session
    >starts. Note that the "munge" doesn't increment in the same way
    >that the
    >Session ID does.
    >Since the 8 char string after ASPSESSIONID is a "munge" of the process
    >ID it
    >will be (a) the same for all "In-process" applications (b) a different
    >value
    >is shared for all "Medium isolation (pooled)" applications and (c)
    >unique
    >for each Out-of-process application."
    >
    >From
    >http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnasp/html/
    >aspwsm.asp:
    >
    >"The following steps are taken when generating ASP session cookies:
    >* Session ID values are 32-bit long integers.
    >* Each time the Web server is restarted, a random Session ID starting
    >value
    >is selected.
    >* For each ASP session that is created, this Session ID value is
    >incremented.
    >* The 32-bit Session ID is mixed with random data and encrypted
    >to generate
    >a 16-character cookie string. Later, when a cookie is received,
    >the Session
    >ID can be restored from the 16-character cookie string (ASPSESSIONID).
    >* The encryption key used is randomly selected each time the Web
    >server is
    >restarted."
    >
    >I don't know for sure, but I'm guessing that they're using CryptGenRandom
    >for the PRNG, which uses mouse & keyboard events timing, system
    >clock,
    >system time, system counter, memory status, free disk clusters,
    >etc. To my
    >knowledge, it's sufficiently "random" to make them unpredictable
    >in
    >practical terms.
    >
    >Hope that helps.
    >
    >
    >
    >Kevin Spett
    >SPI Labs
    >http://www.spidynamics.com/
    >
    >
    >----- Original Message -----
    >From: "Cade Cairns" <cairnsc@securityfocus.com>
    >To: "Kevin Spett" <kspett@spidynamics.com>
    >Cc: <webappsec@securityfocus.com>
    >Sent: Friday, December 06, 2002 2:48 AM
    >Subject: Re: IIS session cookies
    >
    >
    >> I'm curious whether the ASPSESSIONID value generated is predictable
    >and if
    >> so, to what extent.
    >>
    >> Cade Cairns
    >> Symantec Corporation
    >>
    >> On Thu, 5 Dec 2002, Kevin Spett wrote:
    >>
    >> > What do you mean by "IIS session cookies"? Do you mean the
    >ASPSESSIONID
    >> > feature? And what do you mean by formed? Are you talking about
    >the PRNG
    >> > behind it, or how a developer can use them?
    >> >
    >> >
    >> > Kevin Spett
    >> > SPI Labs
    >> > http://www.spidynamics.com/
    >> >
    >> > ----- Original Message -----
    >> > From: "Cade Cairns" <cairnsc@securityfocus.com>
    >> > To: <webappsec@securityfocus.com>
    >> > Sent: Thursday, December 05, 2002 5:29 PM
    >> > Subject: IIS session cookies
    >> >
    >> >
    >> > > Hello webappsec,
    >> > >
    >> > > I'm looking for information on how IIS session cookies are
    >formed
    >(that
    >> > > is, what data they consist of or how they are encoded, etc.)
    > Is
    >anyone
    >> > > aware of any papers or resources on the subject?
    >> > >
    >> > > Thanks,
    >> > >
    >> > > Cade Cairns
    >> > > Symantec Corporation
    >> > >
    >> > >
    >> >
    >>
    >>
    >
    >
    >

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Big $$$ to be made with the HushMail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427sp;IIS session cookies