WebApp Sec mailing list archives
Re: IIS session cookies
From: Takayuki Nakamura <naka () gtisec net>
Date: Fri, 06 Dec 2002 13:43:41 +0900
hello. The following is quoted from microsoft website. # I couldn't find any information on ASP SessionID other than this. # This document was written on April 2, 1997 :( http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnasp/html/aspwsm.asp ----------- The following steps are taken when generating ASP session cookies: - Session ID values are 32-bit long integers. - Each time the Web server is restarted, a random Session ID starting value is selected. - For each ASP session that is created, this Session ID value is incremented. - The 32-bit Session ID is mixed with random data and encrypted to generate a 16-character cookie string. Later, when a - cookie is received, the Session ID can be restored from the 16-character cookie string (ASPSESSIONID). - The encryption key used is randomly selected each time the Web server is restarted. ----------- - naka <naka () gtisec net> Cade Cairns wrote:
Hello webappsec, I'm looking for information on how IIS session cookies are formed (that is, what data they consist of or how they are encoded, etc.) Is anyone aware of any papers or resources on the subject? Thanks, Cade Cairns Symantec Corporation
Current thread:
- IIS session cookies Cade Cairns (Dec 05)
- Re: IIS session cookies Takayuki Nakamura (Dec 07)
- Re: IIS session cookies Kevin Spett (Dec 07)
- Re: IIS session cookies Cade Cairns (Dec 07)
- Re: IIS session cookies Kevin Spett (Dec 07)
- Re: IIS session cookies Cade Cairns (Dec 07)
- <Possible follow-ups>
- RE: IIS session cookies Michael Howard (Dec 07)
- Re: IIS session cookies securityarchitect (Dec 07)
- RE: IIS session cookies Forrest Lee Andrews (Dec 07)
- RE: IIS session cookies Kapila, Sai (Dec 08)