Asp.net Sessionid cookie: how it work?

Question

i've already read microsoft guide about session, but i still don't understand a thing: when i call session["somesession"] this method read the session cookie each time?

i've seen a random sessionid KOJEAKBAALANILPHAGONBEIC this was taken from http://www.w3schools.com/

My question is: how can this little string be secure? it is easy to guess it expecially if the site has many active session

Answer 1

In General, Sessions data are stored on remote server memory and every session will have unique sessionId. Always a new session ID is generated for each page request until the session object is accessed. And client has a reference of the sessionid which is stored in cookie.

so what you can see is just a reference and not real session data. hope it helps.

Answer 2

With ASP.NET you can have your session data stored in memory or in a database (e.g. SQL Server). When you first use session in your application it will return a session cookie to the client.

All future requests from the client will also pass along the session cookie (which includes an id such as the one you included). You are correct that the session id is by no means secure on its own (although it has enough characters to prevent it from an easy brute-force attack).

However, this is where SSL comes in to play. If you serve your site over SSL, then the content of that cookie will be encrypted while it goes over the wire and any prying eyes won't be able to steal your session identifier (unless of course your site is open to an XSS attack).