Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are ServiceStack session ids secure enough?

From what I understand, when using ServiceStack's Authentication you'd typically authenticate at the start of a session and then mark the session on the server side as authenticated. Subsequent web service requests will use that session id and not require re-authentication. (Please correct me if I'm wrong so far).

Generation of new session ids is performed using Guid.NewGuid() in SessionExtensions.cs, which doesn't generate cryptographically fantastic values. Is there any reason not to switch to use cryptographically secure values, e.g. using RNGCryptoServiceProvider?

UPDATE:

Actually, after thinking about it a bit further, ASP.NET doesn't use its Session Id to confirm that the requestor is authenticated. It uses a FormsAuthenticationTicket which has been encrypted with a machine key and hashed (here's a nice description of the process for ASP.NET 2.0).

I'm not a security dude so I don't know what implication this has if you were to compare the level of security provided by ASP.NET Forms Auth and that provided by a random value. I suppose it all comes down to key and data lengths... but also the time required to mount a brute-force attack on Forms Authentication is probably much higher as it doesn't require just trying a whole heap of random numbers?

like image 459
Rory Avatar asked Feb 18 '13 15:02

Rory


People also ask

Are session IDs secure?

Session IDs, in their conventional form, do not offer secure Web browsing. Skilled hackers can acquire session IDs (a process called session prediction), and then masquerade as authorized users in a form of attack known as session hijacking.

Should I encrypt session ID?

In order to protect the session ID exchange from active eavesdropping and passive disclosure in the network traffic, it is essential to use an encrypted HTTPS (TLS) connection for the entire web session, not only for the authentication process where the user credentials are exchanged.

What is a good method of generating session IDs?

The session ID is generated using the Random Number Generator (RNG) cryptographic provider. The service provider returns a sequence of 15 randomly generated numbers (15 bytes x 8 bit = 120 bits). The array of random numbers is then mapped to valid URL characters and returned as a string.

Is session ID sensitive?

Session IDs are sensitive information that may allow an attacker to steal, modify and/or destroy information once they obtain one. Information sent via URL parameters is: Stored in clear text in the browser history. Sent to external sites via the referrer HTTP header.


1 Answers

Right ServiceStack uses the standard HTTP approach of Authenticating + Set session cookie to setup an authenticated session for subsequent requests, which is a common approach across all web frameworks.

Although I've never heard of a vulnerability in .NET from being able to predict and reverse-engineer a GUID, it appears that ASP.NET's own SessionId is not as strong as a Guid (2^120 vs 2^128 bits of entropy). But given it's not truly random we'll change ServiceStack's implementation to use a truly random identifier in the next release.

like image 157
mythz Avatar answered Nov 02 '22 04:11

mythz