WebApp Sec mailing list archives

RE: IIS session cookies


From: "Michael Howard" <mikehow () microsoft com>
Date: Fri, 6 Dec 2002 08:42:41 -0800

I don't know for sure, but I'm guessing that they're using
CryptGenRandom

Yeah, iis uses CryptGenRandom for this stuff..


Cheers, Michael
Secure Windows Initiative
Writing Secure Code 
http://www.microsoft.com/mspress/books/5612.asp
-----Original Message-----
From: Kevin Spett [mailto:kspett () spidynamics com] 
Sent: Friday, December 06, 2002 7:19 AM
To: Cade Cairns
Cc: webappsec () securityfocus com; secprog () securityfocus com; Michael
Howard

From http://www.securiteam.com/windowsntfocus/6C00L003GA.html:

"LJALNFJCGLOICFEPIAPBFDEJ is a 32 character "munge" of the 32 bit
session ID (see later for how session ID is created) Session ID is
created from a random seed number that is generated when the system
starts up). The random seed is incremented every time a new session
starts. Note that the "munge" doesn't increment in the same way that the
Session ID does.
Since the 8 char string after ASPSESSIONID is a "munge" of the process
ID it will be (a) the same for all "In-process" applications (b) a
different value is shared for all "Medium isolation (pooled)"
applications and (c) unique for each Out-of-process application."

From
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnasp/h
tml/
aspwsm.asp:

"The following steps are taken when generating ASP session cookies:
* Session ID values are 32-bit long integers.
* Each time the Web server is restarted, a random Session ID starting
value is selected.
* For each ASP session that is created, this Session ID value is
incremented.
* The 32-bit Session ID is mixed with random data and encrypted to
generate a 16-character cookie string. Later, when a cookie is received,
the Session ID can be restored from the 16-character cookie string
(ASPSESSIONID).
* The encryption key used is randomly selected each time the Web server
is restarted."

I don't know for sure, but I'm guessing that they're using
CryptGenRandom for the PRNG, which uses mouse & keyboard events timing,
system clock, system time, system counter, memory status, free disk
clusters, etc.  To my knowledge, it's sufficiently "random" to make them
unpredictable in practical terms.

Hope that helps.



Kevin Spett
SPI Labs
http://www.spidynamics.com/


----- Original Message -----
From: "Cade Cairns" <cairnsc () securityfocus com>
To: "Kevin Spett" <kspett () spidynamics com>
Cc: <webappsec () securityfocus com>
Sent: Friday, December 06, 2002 2:48 AM
Subject: Re: IIS session cookies


I'm curious whether the ASPSESSIONID value generated is predictable 
and if so, to what extent.

Cade Cairns
Symantec Corporation

On Thu, 5 Dec 2002, Kevin Spett wrote:

What do you mean by "IIS session cookies"?  Do you mean the 
ASPSESSIONID feature? And what do you mean by formed?  Are you 
talking about the PRNG behind it, or how a developer can use them?


Kevin Spett
SPI Labs
http://www.spidynamics.com/

----- Original Message -----
From: "Cade Cairns" <cairnsc () securityfocus com>
To: <webappsec () securityfocus com>
Sent: Thursday, December 05, 2002 5:29 PM
Subject: IIS session cookies


Hello webappsec,

I'm looking for information on how IIS session cookies are formed
(that
is, what data they consist of or how they are encoded, etc.)  Is
anyone
aware of any papers or resources on the subject?

Thanks,

Cade Cairns
Symantec Corporation








Current thread: