From: Stefano Di Paola (stefano.dipaola@wisec.it)
Date: Sat Feb 23 2008 - 06:52:09 EST
Hi Jay,
Il giorno ven, 22/02/2008 alle 11.36 -0500, Jay ha scritto:
> How is it known that 706616434 equates to ASPSESSIONIDGQQGQGCS=JHMBOBKCBINEHLPKJHOPABBE?
have a look at http://www.cgisecurity.com/lib/SessionIDs.pdf
"..
IIS ASP SessionID
Session ID values are 32-bit long integers.
Each time the Web server is restarted, a random session ID starting
value is selected.
For each new ASP session that is created, the session ID value is
incremented.
The 32-bit session ID is mixed with random data and encrypted to
generate a 16character cookie string. Later, when a cookie is received,
the session ID is decrypted from the 16-character cookie string.
The encryption key is randomly selected each time the Web server is
restarted.
.."
Cheers,
Stefano
-- ...oOOo...oOOo.... Stefano Di Paola Software & Security Engineer Owasp Italy R&D Director Web: www.wisec.it .................. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:25 EDT