Menu
I have seen people using UUID for authentication token generation. However, in RFC 4122 it is stated that
Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example.
I was wondering, what algorithms are used for example in Java and .NET for SessionId/AuthenticationToken generation. Is UUID indeed unsuitable for these purposes in an application that has more than average security needs?
315
Session Management Best practices according to OWASPEnsure that session inactivity timeout is as short as possible, it is recommended that the timeout of the session activity should be less than several hours. Generate a new session identifier when a user re-authenticates or opens a new browser session.
Enforce strong passwords Password Length should be at least 10 characters. Passwords should contain a mix of lowercase and uppercase letters, numbers and special characters. Passwords should not include dictionary words. Default credentials should be changed immediately.
The main difference is session-based authentication of the connection stores the authentication details. The session method makes the server store most of the details, while in the case of the token-based one the client stores them.
UUID generation is random, but random with bad entropy means that you will end up with easy to guess UUIDs. If you use a good random number generator, you can generate UUIDs that can be used for sessions. The catch to this, however, is that UUIDs don't have built-in re-play prevention, tampering, fixation, etc., you have to handle that on your own (read: a UUID by itself shouldn't be considered a valid session ID by itself). That said, here's a good snippet for how you would generate a secure UUID using python:
Unique session id in python
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
