Authenticated session identifiers

This site runs with the NWebsec.SessionSecurity library's session fixation protection. For unauthenticated user's, you'll get the classic ASP.NET session behaviour. For authenticated users things change a bit. They'll get session IDs that have a strong binding to their current user name.

Your username:
Your sessionID: npxzj2x43sp4prkoz2pmo301 (A classic ASP.NET session ID)

A classic ASP.NET session ID looks something like this: pbwadwa2pcytffdfn0ci3rit. If you're not logged in, log in to see that your session ID changes when you return to this page.

If you're logged in, you'll get an authenticated session ID that looks more like this:


The authenticated session id is made up of two parts, 128 random bits, followed by a MAC that is calculated over the random bits and the username. Consequently, session IDs cannot be shared between authenticated users. Consult Authenticated session identifiers in the NWebsec documentation for the nitty gritty details on how it works.