Is the use of RNGCryptoServiceProvider in ASP.NET SessionID threadsafe?

Question

Below is the implementation in ASP.NET for creating session ids (I've paraphrased).

edit (the RNG is shared):

static _randgen = new RNGCryptoServiceProvider(); 

string GetSessionId()
{
    var buffer = new byte [15];

    //fill the buffer with random bytes
    randgen.GetBytes(buffer);

    //turn the bytes into a string of letters and numbers (no unsafe chars)
    string encoding = Encode(buffer);
    return encoding; 
}

The documentation on RNGCryptoServiceProvider.GetBytes says it is thread safe, however it's not clear what kind of thread safety that means. Does it simply guarantee no deadlocks or does it guarantee two threads will get different values? Is it possible for there to be a race condition where 2 requests would pull the same session id?

Answer 1

Since a new RNGCryptoServiceProvider object is created inside the GetSessionId function, it is not access by multiple threads.

Edit: It means it wont crash if two or more threads uses its functions. It does not guarantee any uniqueness (one thread or more) but will generate cryptographically strong random bytes.

Answer 2

While GetBytes is thread safe (no deadlocks, no shared results), using it will NOT mean that the result is different each time.

Each time you call GetBytes, it is a whole new random result. Meaning that to be random it could also be a duplicate.

Granted with 15 bytes, that's a touch on the unlikely side, but it can happen.