2

From this OWASP page on "Insufficient Session-ID Length", it states:

Assuming that the session identifiers are being generated using a good source of random numbers, we will estimate the number of bits of entropy in a session identifier to be half the total number of bits in the session identifier. For realistic identifier lengths this is possible, though perhaps optimistic.

I have performed entropy analysis of 10digit numeric session keys, 64bit hex session keys, and 128bit session keys over 2000+ samples in each instance and I am seeing much higher entropy than half the length of the key.

On what basis are OWASP making this statement?

Cybergibbons
  • 1,251
  • 2
  • 9
  • 21
  • Since that article was written almost 10 years ago, I am guessing it was a misunderstanding of entropy by the author? Unless he meant that the session id is Base64 of the random data, so the actual bits in the final sessionid is not the entropy bits... Still, that's not half, though much closer. – AviD Mar 10 '15 at 19:45
  • Definite dupe. Search fail again. – Cybergibbons Mar 10 '15 at 21:30

0 Answers0