Session ID not random enough - ASP.NET

As I remember, ASP.NET session id generator gives good protection against session prediction. The session id has 24 characters using [a-z] chars and [0-5] digits (total of 32 possible chars which is 2^5) which gives a total of 2^(5*24) = 2^120 possible values. However you can implement a SessionIDManager to append some information (like user hostaddress, user-agent, a validation token using a HMAC algorithm) for even better protection - so that a session id comming from a different IP Address or different browser wouldn't pass the validation. If you have forms authentication implemented, this is not necessary since the authentication ticket already provides these kinds of protection.

If you want a better random session id you can use a RandomNumberGenerator such as RNGCryptoServiceProvider in your SessionIDManager and fill a bunch of bytes (say 32 which is 256 bits), then encode them using Base64

byte[] random = new byte[100];//RNGCryptoServiceProvider is an implementation of a random number generator.RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();rng.GetBytes(random); // The array is now filled with cryptographically strong random bytes.return Convert.ToBase64String(random) 

However, this article says that the max length of your session id is 80, so you must override the Validate method also in order for it to work.