Session Id Entropy
CompletedIs there a way to adjust the entropy for the generated session Id on the web client? Using a proxy tool, such as Burp Suite, the effective entropy is estimated to be 0 bits with 20,000 requests. This is flagged as a security concern that I need to address.
-
Official comment
Hello, Alex.
Version 10.0.11 has been released. We've updated how session IDs are generated to increase entropy.
Please download the latest version ASAP.
-
Hello, Alex.
Adjusting the session ID isn't currently possible, however, this sounds like it may be a false positive. I'm going to have a member of our development team chime in shortly to provide further technical details.
0 -
Hi Alex,
Our development team reproduced similar results in test enviornments.
Cerberus session IDs are created with 160-bits of cryptographically random data.
This data is converted into a UTF-8 string which, in turn, is base-64 encoded and sent to the browser.The string conversion added padding and control characters to the data, lengthening the overall session string with non-random data.
While this may have reduced overall randomness of the string in analysis, the resulting session tokens should still be unpredictable for practical purposes.
We appreciate your bringing this to our attention, though, and plan to remove the unnecessary string conversion in a future release. This should result in shorter session ID strings whose randomness is more apparent.
0 -
Is this feature already slated for a specific release?
0 -
We are working to get this change into the next release, 10.0.11.0, due out in a couple weeks.
0
Please sign in to leave a comment.
Comments
5 comments