How secure are your session variables?

I did some testing with Webscarab to evaluate the apparent randomness of session variables in the top 4 languages I have exposure to (ColdFusion, Classic ASP, ASP.NET and PHP). All except classic ASP appeared to be somewhat random. I would say classic ASP session variables are somewhat guessable (this has been known for a while, but it’s cool to see first hand), based on the results (I tested 200 session variables on each platform):

ColdFusion MX 7

PHP 5

Classic ASP on IIS 6

This entry was posted in Uncategorized. Bookmark the permalink.

One Response to How secure are your session variables?

  1. Rogan says:

    One important thing to remember about WebScarab is that it treats characters early on in the session ID as being “more significant” when calculating the value.

    Which means if you have a 2-byte counter as the first thing in your sessionid, and 64 bytes of randomness immediately following, your plot will show predictability even when there really is none.

    Easy way to cross check this is to use the Analysis tab, and look at the scale of the numbers you are dealing with. When you are in the “E+30”, etc ranges, there is not a hope in hell of predicting anything.

    Another good tool you might want to try is “stompy”, by Michal Zalewski. It performs a suite of random analysis tests, far more sophisticated than what WebScarab does.

Leave a Reply

Your email address will not be published. Required fields are marked *