secure random numbers in asp.net | ansaurus

tags:

views:

52

answers:

2

+3 Q:

secure random numbers in asp.net

From what i know Random() is initialize to the current time. If two connections hit during the same second i should get the same two random numbers? With a large site that can be likely. Locking is bad so how should i solve it? note: the number is used for the session id.

-edit- i am stuck using a long. It feels wrong to shorten a 128bit GUID

+4 A:

Rather than using a random number from a call to Random(), use a Guid.NewGuid(). The chance of a duplicate is very, very small...

Using a GUID for a session ID is a common solution.

Mitch Wheat 2010-07-04 03:11:30

Specifically, Guid.NewGuid(), (otherwise you could actually construct duplicate guids). Guid.NewGuid() is essentially a psuedo-random number generator

matt-dot-net 2010-07-04 03:20:12

would Convert.ToInt64(guid); be fine?

acidzombie24 2010-07-04 03:25:22

Would the downvoter please leave a comment. Thanks.

Mitch Wheat 2010-07-04 04:56:08

+1 for simplicity.

rockinthesixstring 2010-07-04 05:02:33

i did leave a comment - essentially what you said was "Don't use a random, use a random"

matt-dot-net 2010-07-04 05:11:21

@matt-dot-net: a random number and a GUID are different things...

Mitch Wheat 2010-07-04 05:35:15

Yes, they are two different things entirely, exactly the point I have been trying to make to you. One is a concept and the other is a value data type. But, when you mention Guid.NewGuid() then you are generating a pseudo random number and then the only difference is size of the data. Your edited answer makes more sense now. +1

matt-dot-net 2010-07-04 17:14:11

+2 A:

First, why do you need to create your own session id? Are you using SessionIDManager ? I would use the Guid.NewGuid() method like what is shown in in the example CreateSessionID . According to the documentation for Guid.NewGuid(), "The chance that the value of the new Guid will be all zeros or equal to any other Guid is very low."

matt-dot-net 2010-07-04 03:14:46

related questions

Is it better to create Model classes, or just stick with generic database utility class?

What are effective options for embedding video in an ASP.NET web site?

Visual Studio 2008 debugger already attached work-around

Tracking state using ASP.NET AJAX / ICallbackEventHandler

ASP.NET Display SVN Revision Number

ASP.NET URL Rewriting

How can I change the background of a masterpage from the code behind of a content page?

Easy way to AJAX WebControls

How do I define custom web.config sections with potential child elements and attributes for the properties?

ASP.NET MVC "CRUD" Database Sample

Are Multiple DataContext classes ever appropriate?

How to RedirectToAction in ASP.NET MVC without losing request data

Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?

ASP.NET built in user profile, Vs old stile user class/tables

What's a good book for learning ASP?

Bandwith throttling in IIS 6 by IP Address

ASP .Net Custom Client-Side Validation

How to get the value of built, encoded ViewState?

Decent, simple, GIS/mapping component for ASP.NET?

Checklist for IIS 6/ASP.NET Windows Authentication?

How to write to Web.Config in Medium Trust ?

ASP.NET, Visual Studio and Subversion - how to integrate?

Floating Point Number parsing: Is there a Catch All algorithm?

How do I sync the SVN revision number with my ASP.NET web site?

ASP.NET Site Maps