Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Use RNGCryptoServiceProvider to create true random session ids

  • Loading branch information...
commit 4235f0b11ff6ee9a6f49c49edacb4363684291e2 1 parent 64465ad
@mythz mythz authored
Showing with 11 additions and 2 deletions.
  1. +11 −2 src/ServiceStack.ServiceInterface/SessionExtensions.cs
View
13 src/ServiceStack.ServiceInterface/SessionExtensions.cs
@@ -2,6 +2,7 @@
using System.Collections.Generic;
using System.Linq;
using System.Net;
+using System.Security.Cryptography;
using System.Web;
using ServiceStack.CacheAccess;
using ServiceStack.Common;
@@ -70,9 +71,17 @@ public static string CreateSessionIds(this IHttpResponse res, IHttpRequest req)
: tempId;
}
+ static readonly RandomNumberGenerator randgen = new RNGCryptoServiceProvider();
+ internal static string CreateRandomSessionId()
+ {
+ var data = new byte[15];
+ randgen.GetBytes(data);
+ return Convert.ToBase64String(data);
+ }
+
public static string CreatePermanentSessionId(this IHttpResponse res, IHttpRequest req)
{
- var sessionId = Convert.ToBase64String(Guid.NewGuid().ToByteArray());
+ var sessionId = CreateRandomSessionId();
res.Cookies.AddPermanentCookie(SessionFeature.PermanentSessionId, sessionId);
req.Items[SessionFeature.PermanentSessionId] = sessionId;
return sessionId;
@@ -80,7 +89,7 @@ public static string CreatePermanentSessionId(this IHttpResponse res, IHttpReque
public static string CreateTemporarySessionId(this IHttpResponse res, IHttpRequest req)
{
- var sessionId = Convert.ToBase64String(Guid.NewGuid().ToByteArray());
+ var sessionId = CreateRandomSessionId();
res.Cookies.AddSessionCookie(SessionFeature.SessionId, sessionId,
(EndpointHost.Config != null && EndpointHost.Config.OnlySendSessionCookiesSecurely && req.IsSecureConnection));
req.Items[SessionFeature.SessionId] = sessionId;
Please sign in to comment.
Something went wrong with that request. Please try again.