Invalidating a session in Fuckchats coms without sign up
In order to keep the authenticated state and track the users progress within the web application, applications provide users with a session identifier (session ID or token) that is assigned at session creation time, and is shared and exchanged by the user and the web application for the duration of the session (it is sent on every HTTP request). With the goal of implementing secure session IDs, the generation of identifiers (IDs or tokens) must meet the following properties: The name used by the session ID should not be extremely descriptive nor offer unnecessary details about the purpose and meaning of the ID. Therefore, the session ID name can disclose the technologies and programming languages used by the web application.
The session ID names used by the most common web application development frameworks can be easily fingerprinted , such as PHPSESSID (PHP), JSESSIONID (J2EE), CFID & CFTOKEN (Cold Fusion), ASP. It is recommended to change the default session ID name of the web development framework to a generic name, such as “id”.
The session ID must simply be an identifier on the client side, and its value must never include sensitive information (or PII).
The session ID value must provide at least 64 bits of entropy (if a good PRNG is used, this value is estimated to be half the length of the session ID).
NOTE: The session ID entropy is really affected by other external and difficult to measure factors, such as the number of concurrent active sessions the web application commonly has, the absolute session expiration timeout, the amount of session ID guesses per second the attacker can make and the target web application can support, etc .
NOTE: The session ID length of 128 bits is provided as a reference based on the assumptions made on the next section "Session ID Entropy".
However, this number should not be considered as an absolute minimum value, as other implementation factors might influence its strength.
If a session ID with an entropy of 64 bits is used, it will take an attacker at least 292 years to successfully guess a valid session ID, assuming the attacker can try 10,000 guesses per second with 100,000 valid simultaneous sessions available in the web application .
The session ID must be unpredictable (random enough) to prevent guessing attacks, where an attacker is able to guess or predict the ID of a valid session through statistical analysis techniques.
For this purpose, a good PRNG (Pseudo Random Number Generator) must be used.
The session ID must be long enough to prevent brute force attacks, where an attacker can go through the whole range of ID values and verify the existence of valid sessions.
The session ID length must be at least 128 bits (16 bytes).
For example, there are well-known implementations, such as Microsoft ASP.
NET, making use of 120-bit random numbers for its session IDs (represented by 20-character strings ) that can provide a very good effective entropy, and as a result, can be considered long enough to avoid guessing or brute force attacks.