Hold Your Sessions: an Attack on Java Servlet Session-id Generation

HTTP session-id’s take an important role in almost any web site today. This paper presents a cryptanalysis of Java Servlet 128-bit session-id’s and an efficient practical prediction algorithm. Using this attack an adversary may impersonate a legitimate client. Through the analysis we also present a novel, general space-time tradeoff for secure pseudo random number generator attacks.