We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


How do I make MS IIS server (classic ASP) to create random sessionIDs?

Medium Priority
Last Modified: 2012-05-07
Hi, I am told that its a good security thing to make the IIS create random sessionIDs, but I cannot see anywhere how to make it do so?
Watch Question

SvenTech Lead Web-Development

There is no such option for this in IIS. At least for Classic ASP.
You could do this only if you replace IIS session managment by storing the sessions within a database.



A security-guy told me that it should be possible in IIS 6 !

I just dont know how to activate it.. as it doenst seem to work..?

Is there some reason why you can't use session.SessionID?
Are you sure you are checking the right thing?    Session.SessionID is not what you should be looking at for Session Hijacking purposes.    Try the following to show the info you need to check.


Then look for the bit that starts ASPSESSIONID - this is the real sessionid that is passed in the HTTP headers and can be used to exploit session hijacking.
Forgot to say, you may need to refresh the page to show the value as the value is sent back to your browser but the code runs on the server.   Refreshing again and again should then show you the same ASPSESSIONID value as your browser keeps telling the server its session value.

Hope you understand the appove.


There are a couple of ways to secure sessionid, but it really depends upon the use. If it's a login site to download a whitepaper for instance, then Session Hijacking is not really a concern. If, however, we are talking about a banking website, that's a different animal.

I should have asked my question better than above, so let's try this. What will you be using the SessionID for? What kind of website is it? Will it be used internally or externally or both? Is there a reason you don't want to use SessionID, such as security?

Sorry I dealt with his previous question, so I knew the background.   I am aware of all the security issues as I specalise in this field.   I have already mentioned things like XSS, SQL Injection, Session Hijacking (hence this question) etc in his previous questions.

Of course security is always relative and never an absolute.

No problem. I felt I was missing something here - out in the cold!


both of You..: its because of security reasons.. I want it to be secure!

So.. IS the standard buildin sessions secure? And/or is it ONLY secure, if its randomly? And does the it have to be random in the session.sessionID or in the <%=Request.ServerVariables("HTTP_COOKIE")%> ?

And if its NOT secure, should I then make my own session-ID system?

Sorry, but it just isn't that simple. I have been developing e-commerce sites for over 12 years. The answer to your question is what are you trying to secure? Some of my clients, for instance, save credit card information for use later on monthly billing, etc. Those clients I use a mixture of custom and non-custom. Self-encrypting certain info and keeping all session info within SSL. Of course I never store password info or credit card info in the session.

However, most of my clients don't store sensitive info, and we don't put anything in the session that would be sensitive, so I'm not as concerned.

That said, yes, you can develop your own way of creating random sessionid's. You can also use methods such as appending the IP address to the sessionid and verifying it that way. It would look like 12345678901| You can then verify not only the sessionid but the IP.
Sessions themselves are generally secure - the main issue with session security is session hijacking - however as long as you prevent cross-site scripting (XSS) and your server is generating random "HTTP_COOKIE" ASPSESSIONIDS then your exposure to session hijacking is very limited.  If you are still concerned adding a Session("IPAddress") which stores the IP address and checking this will reduce the threat of session hijacking even further.

Sessions are particulary good for security as the do not pass the data back and forth between the browser and server (unless you programme it to) which means the data stored in them is impossible to intercept through packet sniffing.

Below is a brief explanation of how sessions work which may help you understand all the comments...

When a browser connects to your server, your server looks for the ASPSESSIONID in the HTTP headers - HTTP_COOKIE - if it is not present when it sends the webpage to the server it includes an ASPSESSIONID which the browser will then include in every subsequent page request in that browser session (there are some exceptions here but don't worry about them).

When your server finds an ASPSESSIONID in the HTTP headers, it uses this to lookup the SESSION.SESSIONID value and all other values stored against the session using the Session() command.

--- The weakness, is that since 'hackers' can look at the HTTP headers, when they connect to your webserver they will see it sends out an ASPSESSIONID which the browser will use in subsequent page requests.    Therefore they can start requesting pages and inserting ASPSESSIONID values, if your server finds a matching value then it will respond applying all the Session() values stored against the ASPSESSIONID.     The problem for the hacker is there are Billons and Trillions of combinations for ASPSESSIONIDS so they are almost impossible to guess.

Some old servers use to issue the HTTP_COOKIE ASPSESSIONID in a known order, therefore a hacker could visit your website and look at what ASPSESSIONID they where issued and work out what the last few or the next few would be.    This DOES NOT apply to IIS6.

Since almost all servers have fixed this security issue, hackers started using XSS to get access to the ASPSESSIONID's.   Read my article on EE about XSS hacking for details on how this is done and how to prevent it.


If you are looking to store sensitive information long term, then obviously sessions are of no use as sessions are timed out after 20 mins of inactivity (by default).  Therefore it is recommend you store this information in an encrypted state inside a database located in a DMZ.    Thus if anybody hacks your server or database they can only retreive encrypted info.

If you need anything further let me know.


Here some info:
I dont store creditcardinfo. But I do have a shop site and account.
ALL site is SSL crypted! Does this help against session hijacking?


Also interesting with the IP check idea.
I guess u then have so save the users IP when he logs in. And then just checks both session and ip in important programs?
But does it matter if the IP and the session-var is "in the same" value? Would You then save it in your own session cookie? Or in 2 different cookies? Or check the IP from a DB call?

I think you are plenty safe from hijacking if you are on IIS6.0 or 7. The bigger concern here is cross-site scripting and sql injection, IMHO. See R_Harrison's link on xss and also do some research on sql injection. There are a number of ways to protect against sql injection, but the biggest in my opinion is the use of stored procedures and not embedding sql in your asp/asp.net code. But, that's a different conversation.


Hi r Harrison..
Again, thanx a lot, I really appreciate both Your help, and also Your detailed description of sessions.
I dont store sensitive information in the session with session() command. But of couse verifies the user in all pages by a check against a session("somevalue") var. If not match he have to log in.

I will now check what u said about checking the right sessionID for random IDs.
The last part about storing "this" information in DMZ.. I dont know what You are talking about. What is "this" information? And the DMZ?

I DO have:
XSS prevention
SSL encryption of whole website
SQL injection prevention


rgc: What is IMHO?

In My Humble Opinion!


R Harrison..

I can now see that the the HTTP_COOKIE ASPSESSIONID "IS" random, and that the session.sesisonid ISNT.

So does that mean I HAVE random sessions? And the security is all fine?


An also to Harrison:
Could I make You take a look at the comments I have made to the first issue:

Thanx in advance :)
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview


What if I instead of removing "()<>" tags, then change them to the respective "%something" codes?
Will they then be a thread?
I use the function below, it swaps the <>() with the equivalent <>() so it displays correct on screen but will not run in a browser.

Copy the function on to your page, then simply


Function MakeSafe(PassedValue)
	If IsNull(PassedValue)=false Then
		Makesafe=Replace(PassedValue, "<", "&lt;")
		Makesafe=Replace(Makesafe, ">", "&gt;")
		Makesafe=Replace(Makesafe, "(", "&#40;")
		Makesafe=Replace(Makesafe, ")", "&#41;")
	End IF
End Function

Open in new window

Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.