[WEB SECURITY] security of GUID

Chris Weber chris at lookout.net
Thu Dec 7 13:59:09 EST 2006


GUID's are commonly used as session id's.  Where security is a concern,
they're often tied to other values such as encrypted tamper-proof cookies,
or even some sort of encrypted state tracking value.  Yes GUID's are
considered random enough, but you need to qualify how you plan on using
them.  For example, if you pass the session identifier in the URL then
you've just jeapordized it, and if you don't tie it to another strong value
such as the cookie, then you haven't raised the bar.  Replay attacks, MITM,
and most other web related attacks fall outside the scope of session
hijacking but you likely know that already.





-----Original Message-----
From: Noon Tar [mailto:noontar at gmail.com] 
Sent: Thursday, December 07, 2006 5:20 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] security of GUID

How random are the GUIDs generated by Windows APIs?

Are they random enough to be used for things like session identifiers?

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list