Home/ Questions/Q 153873
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T09:52:42+00:00

GUIDs get used a lot in creating session keys for web applications. I’ve always

  • 0

GUIDs get used a lot in creating session keys for web applications. I’ve always wondered about the safety of this practice. Since the GUID is generated based on information from the machine, and the time, along with a few other factors, how hard is it to guess of likely GUIDs that will come up in the future. Let’s say you started 1000, or 10000 new sessions, to get a good dataset of the GUIDs being generated. Would this make it any easier to generate a GUID that might be used for another session. You wouldn’t even have to guess a specific GUID, but just keep on trying GUIDs that might be generated at a specific period of time.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. .NET Web Applications call Guid.NewGuid() to create a GUID which is in turn ends up calling the CoCreateGuid() COM function a couple of frames deeper in the stack.

    From the MSDN Library:

    The CoCreateGuid function calls the RPC function UuidCreate, which creates a GUID, a globally unique 128-bit integer. Use the CoCreateGuid function when you need an absolutely unique number that you will use as a persistent identifier in a distributed environment.To a very high degree of certainty, this function returns a unique value – no other invocation, on the same or any other system (networked or not), should return the same value.

    And if you check the page on UuidCreate:

    The UuidCreate function generates a UUID that cannot be traced to the ethernet/token ring address of the computer on which it was generated. It also cannot be associated with other UUIDs created on the same computer.

    The last contains sentence is the answer to your question. So I would say, it is pretty hard to guess unless there is a bug in Microsoft’s implementation.

    • 0