How secure are session IDs ?
AA number of iAS users have expressed concern that a non-authenticated user could duplicate the session ID of a customer that has already been authenticated, and get access to restricted services by posing as the authenticated user. While there is a theoretical risk of this, it is unlikely to happen in practice. The session ID is a 64-bit one-way hash made from, among other things, a random number. The likelihood of being able to synthesize a session ID that generates the correct hash value for a session that is currently in progress is exceptionally small. However, there is a small risk that an eavesdropper could obtain the values of currently-active session IDs by network snooping. Sensible use of firewalls will reduce this risk, and encryption of the Web connector protocol will reduce it further. See below for discussion.