How can I correlate session.sessionid and IIS Log session cookie?

Question

We are logging some tracking information to a database table within a classic asp site. One of the pieces of information captured is the users session ID (session.sessionid). Examples of what is captured are:

• 808592330
• 14267388
• 78330403

Then, separately in our IIS logs, session cookies are logged as such (these do not relate to the above examples...I just grabbed from a log i happened to have open):

• ASPSESSIONIDACCDBSTT=FKOFEKICECOLNGLOIFLFINEI
• ASPSESSIONIDACCDBSTT=GLOFEKICEECEFHFFFCFFEPCA

Most important question is, how can I correlate the long sessionID to the "likely encoded and possibly hashed or encrypted" textual representation.

And, secondarily, what are the values appended to ASPSESSIONID representing? (ex. the "ACCDBSTT" in ASPSESSIONIDACCDBSTT)

Answer 1

According to this MSDN article (which is ancient, but certainly makes sense in my experience):

• Session ID values are 32-bit long integers.
• Each time the Web server is restarted, a random Session ID starting value is selected.
• For each ASP session that is created, this Session ID value is incremented.
• The 32-bit Session ID is mixed with random data and encrypted to generate a 16-character cookie string. Later, when a cookie is received, the Session ID can be restored from the 16-character cookie string (ASPSESSIONID).
• The encryption key used is randomly selected each time the Web server is restarted.

This makes it sound like it would be impossible/impractical to decrypt the cookie after the fact.

If what you want to do is match IIS log records with database changes, the way we accomplished this in the past was by adding an ASPSESSIONID column to our database AuditLog table. Every time we logged a change, we also grabbed just the ASPSESSIONID* cookie from Request.ServerVariables("HTTP_COOKIE") (session cookies aren't exposed through the Request.Cookies collection) and saved it in the DB as well. Then when we had issues we needed to track down, we'd just do a text search in the IIS log for the value of the cookie in the AuditLog table (or vice versa).