1

We are logging some tracking information to a database table within a classic asp site. One of the pieces of information captured is the users session ID (session.sessionid). Examples of what is captured are:

  • 808592330
  • 14267388
  • 78330403

Then, separately in our IIS logs, session cookies are logged as such (these do not relate to the above examples...I just grabbed from a log i happened to have open):

  • ASPSESSIONIDACCDBSTT=FKOFEKICECOLNGLOIFLFINEI
  • ASPSESSIONIDACCDBSTT=GLOFEKICEECEFHFFFCFFEPCA

Most important question is, how can I correlate the long sessionID to the "likely encoded and possibly hashed or encrypted" textual representation.

And, secondarily, what are the values appended to ASPSESSIONID representing? (ex. the "ACCDBSTT" in ASPSESSIONIDACCDBSTT)

Shawn Dube
  • 410
  • 3
  • 10

1 Answers1

1

According to this MSDN article (which is ancient, but certainly makes sense in my experience):

  • Session ID values are 32-bit long integers.
  • Each time the Web server is restarted, a random Session ID starting value is selected.
  • For each ASP session that is created, this Session ID value is incremented.
  • The 32-bit Session ID is mixed with random data and encrypted to generate a 16-character cookie string. Later, when a cookie is received, the Session ID can be restored from the 16-character cookie string (ASPSESSIONID).
  • The encryption key used is randomly selected each time the Web server is restarted.

This makes it sound like it would be impossible/impractical to decrypt the cookie after the fact.

If what you want to do is match IIS log records with database changes, the way we accomplished this in the past was by adding an ASPSESSIONID column to our database AuditLog table. Every time we logged a change, we also grabbed just the ASPSESSIONID* cookie from Request.ServerVariables("HTTP_COOKIE") (session cookies aren't exposed through the Request.Cookies collection) and saved it in the DB as well. Then when we had issues we needed to track down, we'd just do a text search in the IIS log for the value of the cookie in the AuditLog table (or vice versa).

Kevin
  • 5,874
  • 3
  • 28
  • 35
  • Hmmm. Ok! Since the ASPSESSIONID has those random chars at the end (ex. ASPSESSIONIDACCDBSTT) I can't ask for the cookie by name so I tried iterating thru the request.cookie's collection and it wasn't there! Opened Chrome tools and went to Resources-Cookies and it is being set. Maybe the asp handler strips that one out? How were you able to grab the cookie? – Shawn Dube Jun 04 '15 at 14:49
  • Looks like I can get it with Request.ServerVariables("HTTP_COOKIE"). Alrighty, thats the approach i'll take! Thanks! – Shawn Dube Jun 04 '15 at 14:57
  • 1
    For others using this solution. Be aware of getting multiple ASPSESSIONID's sent back. If thats an issue for you, see: http://stackoverflow.com/questions/12783878/classic-asp-multiple-aspsessionid-in-cookies – Shawn Dube Jun 04 '15 at 14:59
  • Yeah, it turns out we used Request.ServerVariables("HTTP_COOKIE"), too. Forgot about that issue, with IIS filtering ASP Session cookies out before giving you the Request.Cookies collection. – Kevin Jun 04 '15 at 15:09