What keeps someone from logging in to web-site Z. Going into the cookie holding the Session_Id for web-site Z, and fiddling with it to becomes someone else as identified by the server?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
What keeps someone from logging in to web-site Z. Going into the cookie holding the Session_Id for web-site Z, and fiddling with it to becomes someone else as identified by the server?
Nothing but the length and base of session ids. If it is quite long it would take trillions (or more) tries before a collision is found. Longer ids multiply the number of possible ids by the base of the hash, so if your hash has numbers and lowercase letters, every extra character multiplies the possibilities by 36.
A 20 character hash will give you 36^20 different possibilities. If you double the length of the id, you get 36^40 different possibilities. Making it much harder for anyone to brute force into another account.