A Brief Analysis of ASP.NET Session Identifiers

[Tim <tim-pentest () sentinelchicken org>]

Hello,

Any of you ever looked closely at ASP.NET_SessionId cookies?  Ever
wondered why certain digits don't look so random?  Well I did, so I
spent some quality time with a debugger last weekend and figured out
just how those cookies are generated.

Nothing earth shattering was found, but there were some interesting
details that I though would be worth writing up:
  http://www.sentinelchicken.com/research/aspdotnet_sessionid/

If nothing else, hopefully it will save someone else the time I just
spent uncovering the algorithm.

cheers,
tim

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------