I am creating a web service that requires me to create user sessions and random passwords, etc.
I was wondering if creating a static class and using 1 static instance of RNGCryptoServiceProvider for the whole site is a good idea? 1. Is it thread safe from multiple instances of an HTTP request? 2. Is it safe? If I let someone generate many sessions in a short period of time, would it be possible to find out the state of the RNG and predict the next sessions?
in my service, other users know when someone signs up, and I initially created a new RNGCryptoServiceProvider when they logged in to create a session, but I worry if this is based on the current time and time, theoretically someone can’t just go through several thousand sessions to “guess” another user's session if they knew something about what they were logged into?
public static class random
{
private static RandomNumberGenerator _rng;
protected static RandomNumberGenerator rng
{
get
{
if (_rng == null) _rng = new RNGCryptoServiceProvider();
return _rng;
}
}
public static byte[] Bytes(int number)
{
var value = new byte[number];
rng.GetBytes(value);
return value;
}
public static byte Byte { get { return Bytes(1)[0]; } }
public static int Int { get { return BitConverter.ToInt32(Bytes(4), 0); } }
public static long Long { get { return BitConverter.ToInt64(Bytes(8), 0); } }
}
code>
source
share