Are Universally Unique Lexicographically Sortable Identifiers (ULIDs) safe to use as a session id?

gh flag

The spec ( which is not a real standard ) explains that there are 80 random bits in an ULID. UUIDv4 is better from a security aspect, as it has 122 bits for randomness. But UUIDv4 has no monotonic sort order, and that would be very benefical in my actual application.

So how bad would it be to use ULIDs for session ids?

si flag

Almost certainly unsafe. If two or more ULIDs would be generated in the same millisecond, the "random" component is replaced by a counter. An attacker could issue requests, then try adding or subtracting 1 to see if they collided with an existing session. If the system is processing more than 1000 requests per second the attack becomes certain to succeed.


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.