LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What requirements should a session ID meet?

Unique per session, contain no information about its meaning or technology, and be at least 128 bits of cryptographic randomness.

The three requirements from OWASP:

  • Unique identifier — uniquely names one session, can't collide with another.
  • Opaque (no leaked information) — the value shouldn't reveal anything about how it's used or what backend made it. PHPSESSID is a bad default: it tells an attacker "this is PHP, look for PHP session vulnerabilities". Rename the cookie to something neutral like id or sid.
  • Cryptographically random + long enough — at least 128 bits of effective entropy, generated from a CSPRNG. This makes brute-force guessing infeasible (2¹²⁸ possibilities).

Why these specifically:

  • Predictable IDs → session hijacking by guessing.
  • Information-leaking names → easier fingerprinting + targeted exploits.
  • Short IDs → brute-force attack within reach.

Common framework defaults:

Framework Default cookie name
PHP PHPSESSID (rename!)
ASP.NET ASP.NET_SessionId (rename!)
Java/JSP JSESSIONID (rename!)
Express.js connect.sid

Most frameworks let you override the cookie name in config — do it.

Tip: A quick check — open dev tools on your own app. If the session cookie name reveals the framework, that's free reconnaissance for an attacker. Pick something boring.

From Quiz: ISF / Session Handling & Login Protocols | Updated: Jul 14, 2026