Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have seen people using UUID for authentication token generation. However, in RFC 4122 it is stated that
Do not assume that UUIDs are hard to guess; they should not be used
as security capabilities (identifiers whose mere possession grants
access), for example.
I was wondering, what algorithms are used for example in Java and .NET for SessionId/AuthenticationToken generation. Is UUID indeed unsuitable for these purposes in an application that has more than average security needs?
UUIDgeneration is random, but random with bad entropy means that you will end up with easy to guessUUIDs. If you use a good random number generator, you can generateUUIDs that can be used for sessions. The catch to this, however, is thatUUIDs don’t have built-in re-play prevention, tampering, fixation, etc., you have to handle that on your own (read: a UUID by itself shouldn’t be considered a valid session ID by itself). That said, here’s a good snippet for how you would generate a secureUUIDusingpython:Unique session id in python