Generating Random Session IDs

For any online service you must login so you can gain access to your stuff. So that you only have to put in your password once, the website must maintain a special unique character sequence called a session key to know that you have already authenticated.

There is a problem with these keys, however, if they are not truly random. This is detailed in a paper I stumbled upon entitled Brute-Force Exploitation of Web Application Session IDs by David Endler. It covers ways in which these keys can be “hacked” because they are not unique, but rather follow some sequence which can be guessed. He lists some major websites which he was able to get access to information that should have been private.

The paper got me thinking about how to generate random session keys, so I created some quick Python scripts using Twisted which demonstrates my solution. (This was my first time using Twisted, so it’s very possible that there is a better way to structure the code).

Solution

The character buffer in the server is used to generate new keys.

To fill the buffer:

  1. Create a list of websites which themselves deliver random web pages (eg, wikipedia)
  2. Select a website from random and ask for a random page
  3. Grab the data within the HTML body tags and put that string in the character buffer
  4. When the buffer needs more data, go back to 1.

To generate X number of keys:

  1. Grab two random lengths of the character buffer. Use one to re-seed the random generator and the other as the basis for the new session key. Create the session key using MD5 and the key seed
  2. Update() the current MD5 session key using a generated random character / string
  3. Add that key to the buffer.
  4. When the key buffer needs more keys, go back to Step 1. For every Y number of keys generated, go back to Step 0.

Notes

We don’t use a new seed for each MD5 session key because the buffer will be emptied too quickly. Of course, the settings for the buffer size, etc could be tweaked.

Performance

Running the server code on my Mac Mini (2.16GHz Dual Core) and 5 clients on another machine, I was able to service ~8000 keys/sec (~750 million keys/day).

Conclusion

My experiment satisfied my curiosity and answered the questions from my own project.

There are, of course, many tweaks that can be made. Send me the code changes to your favorites and I’ll include them.

“Click to download the client server files.”:/downloads/code/HTTP-Session-Key.zip

Resources