My web application operates only over SSL and sets a time limited cookie for each user after they successfully login with a username and password. The biggest weaknesses in the system are one compromising an existing user's cookie. And two guessing a session ID GUID.
I know of mechanisms for the first weakness but I'm wondering how much I need to worry about the chance of an attacker guessing a session ID GUID based on a GUID they have previously obtained by logging into an account they have set up? The web server in this case is Windows 2003 and the GUIDs are being generated with .Net 3.5.
GUIDs are not intended to be cryptographically secure, just unique. Quite a lot of the format is predictable - 48 bit MAC address, a timestamp that is somewhat predictable if you know how it's generated and another few bits to deal with timestamp collisions. A technically sophisiticated attacker has a pretty good chance of reverse engineering a GUID.
You really need a cryptographically secure PRNG for a secure session key.
.Net 3.5 GUIDs are virtually impossible to guess. The sheer number of GUIDs is enormous - there are more GUIDs than there are grains on sand in the universe, etc. They are not strictly 'guaranteed' to be unique (although apparently SQL NEWID is guaranteed to be unique)
If you want to test this for yourself, generate a few hundred million and then find duplicates (you won't find any).
来源:https://stackoverflow.com/questions/1397676/are-guids-generated-on-windows-2003-safe-to-use-as-session-ids