Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Kevin Spett (kspett_at_spidynamics.com)
Date: Fri Dec 06 2002 - 09:18:35 CST
"LJALNFJCGLOICFEPIAPBFDEJ is a 32 character "munge" of the 32 bit session ID
(see later for how session ID is created)
Session ID is created from a random seed number that is generated when the
system starts up). The random seed is incremented every time a new session
starts. Note that the "munge" doesn't increment in the same way that the
Session ID does.
Since the 8 char string after ASPSESSIONID is a "munge" of the process ID it
will be (a) the same for all "In-process" applications (b) a different value
is shared for all "Medium isolation (pooled)" applications and (c) unique
for each Out-of-process application."
"The following steps are taken when generating ASP session cookies:
* Session ID values are 32-bit long integers.
* Each time the Web server is restarted, a random Session ID starting value
* For each ASP session that is created, this Session ID value is
* The 32-bit Session ID is mixed with random data and encrypted to generate
a 16-character cookie string. Later, when a cookie is received, the Session
ID can be restored from the 16-character cookie string (ASPSESSIONID).
* The encryption key used is randomly selected each time the Web server is
I don't know for sure, but I'm guessing that they're using CryptGenRandom
for the PRNG, which uses mouse & keyboard events timing, system clock,
system time, system counter, memory status, free disk clusters, etc. To my
knowledge, it's sufficiently "random" to make them unpredictable in
Hope that helps.
----- Original Message -----
From: "Cade Cairns" <cairnscsecurityfocus.com>
To: "Kevin Spett" <kspettspidynamics.com>
Sent: Friday, December 06, 2002 2:48 AM
Subject: Re: IIS session cookies
> I'm curious whether the ASPSESSIONID value generated is predictable and if
> so, to what extent.
> Cade Cairns
> Symantec Corporation
> On Thu, 5 Dec 2002, Kevin Spett wrote:
> > What do you mean by "IIS session cookies"? Do you mean the ASPSESSIONID
> > feature? And what do you mean by formed? Are you talking about the PRNG
> > behind it, or how a developer can use them?
> > Kevin Spett
> > SPI Labs
> > http://www.spidynamics.com/
> > ----- Original Message -----
> > From: "Cade Cairns" <cairnscsecurityfocus.com>
> > To: <webappsecsecurityfocus.com>
> > Sent: Thursday, December 05, 2002 5:29 PM
> > Subject: IIS session cookies
> > > Hello webappsec,
> > >
> > > I'm looking for information on how IIS session cookies are formed
> > > is, what data they consist of or how they are encoded, etc.) Is
> > > aware of any papers or resources on the subject?
> > >
> > > Thanks,
> > >
> > > Cade Cairns
> > > Symantec Corporation
> > >
> > >