Quiz Entry - updated: 2026.07.14
What requirements should a session ID meet?
Unique per session, contain no information about its meaning or technology, and be at least 128 bits of cryptographic randomness.
The three requirements from OWASP:
- Unique identifier — uniquely names one session, can't collide with another.
- Opaque (no leaked information) — the value shouldn't reveal anything about how it's used or what backend made it.
PHPSESSIDis a bad default: it tells an attacker "this is PHP, look for PHP session vulnerabilities". Rename the cookie to something neutral likeidorsid. - Cryptographically random + long enough — at least 128 bits of effective entropy, generated from a CSPRNG. This makes brute-force guessing infeasible (2¹²⁸ possibilities).
Why these specifically:
- Predictable IDs → session hijacking by guessing.
- Information-leaking names → easier fingerprinting + targeted exploits.
- Short IDs → brute-force attack within reach.
Common framework defaults:
| Framework | Default cookie name |
|---|---|
| PHP | PHPSESSID (rename!) |
| ASP.NET | ASP.NET_SessionId (rename!) |
| Java/JSP | JSESSIONID (rename!) |
| Express.js | connect.sid |
Most frameworks let you override the cookie name in config — do it.
Tip: A quick check — open dev tools on your own app. If the session cookie name reveals the framework, that's free reconnaissance for an attacker. Pick something boring.