Web Server Uses Non Random Session IDs

Medium Nessus Plugin ID 31657


The remote web server generates predictable session IDs.


The remote web server generates a session ID for each connection. A session ID is typically used to keep track of the actions of a user while he visits a website.

The remote server generates non-random session IDs. An attacker might use this flaw to guess the session IDs of other users and therefore steal their session.


Configure the remote site and CGIs so as to use random session IDs.

See Also


Plugin Details

Severity: Medium

ID: 31657

File Name: www_nonrandom_session_id.nasl

Version: $Revision: 1.10 $

Type: remote

Family: Web Servers

Published: 2008/03/26

Modified: 2014/04/25

Dependencies: 10107

Risk Information

Risk Factor: Medium


Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N