Creating a secure session key RRS feed

  • Question

  • I am looking at storing session data in Azure Table Storage and was looking at using a Base64 encoded RNG Crypto Service value as the session key.  However, base64 can include characters that Table Storage Partition Key doesn't like, notable the / character.  My thought was to use a GUID instead.  However, my research indicates that normal GUIDs aren't very secure.  So my other thought was to generate the GUID using a 16 byte value provided from RNG Crypto Service.  I haven't been able to find much info on whether this makes GUIDs anymore secure or not so thought I would ask  to see if anyone had any ideas.

    Thanks for your help

    Wednesday, February 15, 2012 10:10 PM


All replies

  • Hi Stoolio,

    Would you like to share the resource that indicates why normal GUIDs are not very secure? According to that article we would give a more nichetargeting solution to you.

    Now i have two methods to generate a more complex seesion key what you want:

    1. Please try to use String.Format method to mix GUID and Time.Ticks to a new key, such as:

    string Key = string.Format("{0:10}-{1}", DateTime.MaxValue.Ticks - DateTime.Now.Ticks, Guid.NewGuid()).Replace("-","");

    2. Use SHA-256 (Secure Hash Algorithm) to generate your key, it looks like more secure:


    Hope it can help you.

    Please mark the replies as answers if they help or unmark if not. If you have any feedback about my replies, please contact msdnmg@microsoft.com Microsoft One Code Framework

    Thursday, February 16, 2012 9:56 AM
  • Hi

    Thanks for the reply.  Here is an example of some of the discussions I've come across regarding use of GUIDs



    Thursday, February 16, 2012 8:09 PM
  • It really depends on what sort of session key you are creating, and how long it is valid for. A GUID is by definition an insecure key because it is possible to recalculate on another machine within a known timeframe. However, if the lifetime of the key is super short, and a whole confluence of other things add up to make it tricky to generate that key, especially if it's not stored on a user's machine then a GUID will work fine. But since in security we don't rely on the universe being in our favor, we tend to skip GUIDs.

    The easiest thing you could do is generate a byte array using a CRNG and then output the values as a hex string and use that as the session key.

    Now, here is the warning: PLEASE DO NOT ROLE YOUR OWN SESSION MANAGEMENT SYSTEM. Use something like forms auth (not my favorite) or use the WIF framework and generate a claims based token.

    Developer Security MVP | www.syfuhs.net

    Thursday, February 16, 2012 8:38 PM
  • Thanks for the reply. 

    Ideally I'd like to avoid creating my own session management system but there don't seem to be many choices when it comes to azure web role development and there is no guarantee the user will be sent to the same server every time.  I know there was one included in a sample project that many posts refer to but I'm reluctant to try it since it doesn't seem to be official.  The app fabric cache is also another option but it seems pretty pricey. 

    My thought was to create a unique, secure session key and store that as the partition key in azure table storage along with some other user specific info.  If the session is idle for more than 30 minutes the user will need to re-logon and get a new session key.  Originally I was generating the key using RNG CSP but when it was encoded for storage in ATS it periodically failed because the encoding container invalid characters, which was why I was trying to see if a GUID generated using RNG CSP would suffice.  Something like the following:

    byte[] temp = new byte[16];
    using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider())

    return new Guid(temp).ToString("N");
    Thanks again for the info

    Thursday, February 16, 2012 10:15 PM
  • Well, that should work in theory.

    However you still run into the problem of writing a custom session module. Don't! :) There is a section in the Identity Training Kit (http://www.microsoft.com/download/en/details.aspx?id=14347) on using WIF on Azure. It allows for multiple instances. See lab "Federated Authentication in Windows Azure" and then in Excercise 1 it shows how to support multiple instances.

    You can skip the first bit about federation and for the actual authentication bit you can look at http://www.leastprivilege.com/ReplacingASPNETFormsAuthenticationWithWIFSessionAuthenticationForTheBetter.aspx to write out the session cookie.

    You'll be much better off following this route. :)

    Developer Security MVP | www.syfuhs.net

    • Marked as answer by Stoolio Thursday, February 16, 2012 10:37 PM
    Thursday, February 16, 2012 10:33 PM
  • Excellent!  Thanks for pointing me in that direction.
    Thursday, February 16, 2012 10:37 PM