Skip to main content

Session Id Entropy

Completed

Comments

5 comments

  • Official comment
    Dana Anderson
    Product Support

    Hello, Alex. 

     

    Version 10.0.11 has been released. We've updated how session IDs are generated to increase entropy. 

    Please download the latest version ASAP. 

     

     

  • Dana Anderson
    Product Support

    Hello, Alex. 

     

    Adjusting the session ID isn't currently possible, however, this sounds like it may be a false positive. I'm going to have a member of our development team chime in shortly to provide further technical details. 

    0
  • Permanently deleted user
    Development

    Hi Alex,

    Our development team reproduced similar results in test enviornments.

    Cerberus session IDs are created with 160-bits of cryptographically random data.
    This data is converted into a UTF-8 string which, in turn, is base-64 encoded and sent to the browser.

    The string conversion added padding and control characters to the data, lengthening the overall session string with non-random data.

    While this may have reduced overall randomness of the string in analysis, the resulting session tokens should still be unpredictable for practical purposes.

    We appreciate your bringing this to our attention, though, and plan to remove the unnecessary string conversion in a future release. This should result in shorter session ID strings whose randomness is more apparent.

    0
  • Alex Riley

    Is this feature already slated for a specific release?

    0
  • Permanently deleted user
    Development

    We are working to get this change into the next release, 10.0.11.0, due out in a couple weeks.

    0

Please sign in to leave a comment.