Best practices for SessionId/Authentication Token generation

authentication uuid sessionid
oldbam picture oldbam · Mar 9, 2011 · Viewed 16.9k times · Source

I have seen people using UUID for authentication token generation. However, in RFC 4122 it is stated that

Do not assume that UUIDs are hard to guess; they should not be used as security capabilities (identifiers whose mere possession grants access), for example.

I was wondering, what algorithms are used for example in Java and .NET for SessionId/AuthenticationToken generation. Is UUID indeed unsuitable for these purposes in an application that has more than average security needs?

Answer

Sean picture Sean · Sep 27, 2011

UUID generation is random, but random with bad entropy means that you will end up with easy to guess UUIDs. If you use a good random number generator, you can generate UUIDs that can be used for sessions. The catch to this, however, is that UUIDs don't have built-in re-play prevention, tampering, fixation, etc., you have to handle that on your own (read: a UUID by itself shouldn't be considered a valid session ID by itself). That said, here's a good snippet for how you would generate a secure UUID using python:

Unique session id in python

Related questions

Git push requires username and password

I cloned a Git repository from my GitHub account to my PC. I want to work with both my PC and laptop, but with one GitHub account. When I try to push to or pull from GitHub using my PC, …

Read More
Git push results in "Authentication Failed"

I have been using Github for a little while and I have been fine with git add, git commit, and git push so far with no problems. Suddenly I am having an error that says: fatal: Authentication Failed In the …

Read More
Is there a way to cache GitHub credentials for pushing commits?

I recently switched to synchronizing my repositories to https:// on GitHub (due to firewall issues), and it asks for a password every time. Is there a way to cache the credentials, instead of authenticating every time that git push?

Read More