Ideas on creating a unique session id?

R

RCS

We have sort of a centralized single-signon written in ASP.NET for all of
our legacy ASP and ASP.NET apps.. There are around 1200 users and something
like 2 dozen apps. Everyonce in a while, a user gets the error that their
session is a duplicate in the database.. I talked to the database guys about
putting in a job that cleans up old sessions, but I also want to have this
work a little cleaner on the front-end.

I need to generate a truly session id, here is my code right now (where
UniqueIdentifier is the users login):


using System.Security.Cryptography;

public string GenerateSessionID(string UniqueIdentifier)
{
TimeSpan objTS =
System.Diagnostics.Process.GetCurrentProcess().TotalProcessorTime;
int t = DateTime.Now.Second + DateTime.Now.Millisecond + objTS.Seconds +
objTS.Milliseconds;
long lngRandom = new System.Random(t).Next();
string strData = UniqueIdentifier + lngRandom.ToString();
string strTmp = "";
System.Text.UnicodeEncoding encoding = new System.Text.UnicodeEncoding();
byte[] hashBytes = encoding.GetBytes(strData);
SHA1 sha1 = new SHA1CryptoServiceProvider();
byte[] cryptPassword = sha1.ComputeHash(hashBytes);
for ( int x=0 ; x < cryptPassword.Length ; x++ )
{
strTmp = strTmp + String.Format("{0,2:X2}", cryptPassword[x]);
}
return strTmp;
}

But as you might imagine, using time values like this helps, but doesn't
solve this. Even going out to the year or month:

05 + 15 = 20 (month + day for May 15th)
04 + 16 = 20 (month + day for April 16th)

Same with seconds, etc.. I need a truly random number or seed for the random
number generator. In other words, UserLogin + date and time + processor
time... is still not truly unique, because these numbers can overlap.

Anyhow already have a bullet-proof way to handle this?

This process is very random, well - like 99%.. but I would just like to have
this be 100%. Any ideas?
 
D

Dan Baker

Why not simply use a database field with an auto-incrementing number. This
will give you a unique number. The main problem with this is that the
numbers are sequential (thus, being rather easy to guess other session id's
from your own session id). One method to get around this is to have another
field in the same database which contains the "public session id". This
field is set to "Unique", so the database will force that no two session
id's are identical. Then, the end-user must supply boh values to gain
access. You can use your string below as this second value.

DanB
 
S

Steve Walker

RCS said:
We have sort of a centralized single-signon written in ASP.NET for all of
our legacy ASP and ASP.NET apps.. There are around 1200 users and something
like 2 dozen apps. Everyonce in a while, a user gets the error that their
session is a duplicate in the database.. I talked to the database guys about
putting in a job that cleans up old sessions, but I also want to have this
work a little cleaner on the front-end.

I need to generate a truly session id, here is my code right now (where
UniqueIdentifier is the users login):
Click to expand...

System.Guid.NewGuid()?
 
R

Richard Blewett [DevelopMentor]

Guid.NewGuid(); ?

Regards

Richard Blewett - DevelopMentor
http://www.dotnetconsult.co.uk/weblog
http://www.dotnetconsult.co.uk

This might help:
http://groups-beta.google.com/groups?q=sql+server+oj+Uuidcreate

or:

http://groups-beta.google.com/groups?q=sqlserver+oj+GenerateComb

--
-oj


RCS said:
We have sort of a centralized single-signon written in ASP.NET for all of
our legacy ASP and ASP.NET apps.. There are around 1200 users and
something like 2 dozen apps. Everyonce in a while, a user gets the error
that their session is a duplicate in the database.. I talked to the
database guys about putting in a job that cleans up old sessions, but I
also want to have this work a little cleaner on the front-end.

I need to generate a truly session id, here is my code right now (where
UniqueIdentifier is the users login):


using System.Security.Cryptography;

public string GenerateSessionID(string UniqueIdentifier)
{
TimeSpan objTS =
System.Diagnostics.Process.GetCurrentProcess().TotalProcessorTime;
int t = DateTime.Now.Second + DateTime.Now.Millisecond + objTS.Seconds +
objTS.Milliseconds;
long lngRandom = new System.Random(t).Next();
string strData = UniqueIdentifier + lngRandom.ToString();
string strTmp = "";
System.Text.UnicodeEncoding encoding = new System.Text.UnicodeEncoding();
byte[] hashBytes = encoding.GetBytes(strData);
SHA1 sha1 = new SHA1CryptoServiceProvider();
byte[] cryptPassword = sha1.ComputeHash(hashBytes);
for ( int x=0 ; x < cryptPassword.Length ; x++ )
{
strTmp = strTmp + String.Format("{0,2:X2}", cryptPassword[x]);
}
return strTmp;
}

But as you might imagine, using time values like this helps, but doesn't
solve this. Even going out to the year or month:

05 + 15 = 20 (month + day for May 15th)
04 + 16 = 20 (month + day for April 16th)

Same with seconds, etc.. I need a truly random number or seed for the
random number generator. In other words, UserLogin + date and time +
processor time... is still not truly unique, because these numbers can
overlap.

Anyhow already have a bullet-proof way to handle this?

This process is very random, well - like 99%.. but I would just like to
have this be 100%. Any ideas?
Click to expand...



[microsoft.public.dotnet.languages.csharp]
 
Top