NCWF / CWR Forums

Full Version: Is it insecure to use sequential session IDs when using encrypted cookies?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Is it insecure to use sequential session IDs when using encrypted cookies?

Now, I'll preface this by saying that I did a bunch of digging around on this topic and I haven't found anything to satisfy my curiosity. Most of the recommendations I could find said to use randomly generated session IDs, which I can understand is important if you're using plain-text cookies.

In my case, though, I'm wondering about how that advice holds up if the actual cookie value is encrypted. My reasoning is that even if an attacker can trivially guess the session ID of any given user, they won't be able to create a valid cookie, because they can't encrypt the value. I'm thinking randomly generated session IDs don't actually add any security in this scenario, but I was unable to find confirmation anywhere, so I figured I'd ask here!

tl;dr : if my cookie is encrypted, is it insecure to use sequential session IDs?

submitted by /u/nicmarier
[link] [comments]