Channels ▼

Two Ways to Create Unique Session IDs

COM Objects from ASP.NET Pages

Each active ASP.NET session is identified by using a 120-bit string of URL-allowed characters. The session IDs are guaranteed to be unique and randomly generated to avoid data conflicts and prevent malicious attacks. Obtaining a valid session ID algorithmically from an existing ID is virtually impossible. The SessionID string is communicated to the browser, then returned to the server application in either of two ways: using cookies or a modified URL. By default, the session state module creates an HTTP cookie on the client, but (especially for cookieless browsers) a modified URL can be used with the SessionID string embedded. Which approach is taken depends on the configuration settings stored in the application's web.config file. To configure session settings, you use the <sessionState> section. The structure of the section is shown below:

<sessionState mode="Off | InProc | StateServer | SQLServer"
   cookieless="true | false"
   timeout="number of minutes"
   sqlConnectionString="sql connection string" />

By default, the cookieless attribute is false, meaning that cookies are used by browsers and the web server to exchange session information. A cookie is really nothing more than a text file placed on the client's hard disk by a web page. In ASP.NET, a cookie is represented by an instance of the HttpCookie class. Typically, a cookie has a name, a collection of values, and an expiration time. In addition, you can configure the cookie to operate on a particular virtual path and over secure connections (i.e., HTTPS).

When the cookieless attribute is set to False, which is the default, the session state module actually creates a cookie with a particular name and stores the session ID in it. The cookie is created as the following pseudocode shows:

HttpCookie sessionCookie;
sessionCookie = new HttpCookie("ASP.NET_SessionId", 
sessionCookie.Path = "/";

ASP.NET_SessionId is the name of the cookie and the SessionID string is its value. The cookie is also associated with the root of the current domain. The Path property describes the relative URL that the cookie applies to. A session cookie is given a very short expiration term and is renewed at each successful request end. The cookie's Expires property indicates the time of day on the client at which the cookie expires. If not explicitly set, as is the case with session cookies, the Expires property defaults to DateTime.MinValue, which is the smallest possible unit of time in the .NET Framework.

A server-side module that needs to write a cookie adds an HttpCookie object to the Response.Cookies collection. Cookies associated with the requested domain are also available for reading through the Request.Cookies collection.

The session ID is generated using the Random Number Generator (RNG) cryptographic provider. The service provider returns a 15-byte-long sequence (15x8=120 bit) of randomly generated numbers. Each number identifies a byte. The cryptographic provider can generate a sequence of random bytes of any length. A session ID is 15 bytes long by design. The array of bytes is then encoded to URL valid characters and returned as a string.

Finally, note that if the session contains nothing, then a brand new session ID is generated per each request and the session state is not persisted to the state provider.

Dino Esposito is Wintellect's ADO.NET and XML expert, and a trainer and consultant based in Rome, Italy. Dino is a contributing editor to Windows Developer Magazine and MSDN Magazine, and the author of several books for Microsoft Press including Building Web Solutions with ASP.NET and ADO.NET and Applied XML Programming for .NET. Contact Dino at

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.