Mike_Ho
Jul 25, 2008Cirrus
How unique are session IDs supposed to be?
Hiya, newbie Firepass (FP) user here. I'm auditing logins to our FPs via syslogs and I was hoping I could rely on the "Sid" reported during logon and logoff events to be good ways to track sessions. That does not appear to be true and I'm wondering if what I'm seeing is what I *should* be seeing or not.
We're running 6.0.2 by the way. See this example of what looks like two distinct logins by a user on the same day and the SID is the same for two distinct sessions:
Jul 24 20:16:48 1.2.3.4 security[4776]: [foobar@authtype] User foobar logged on from 4.5.6.7 Sid = fd3cf
Jul 24 20:28:42 1.2.3.4 GarbageCollection[9232]: session 'fd3cf63b065a8398d3dc9c501682be70' is expired due to inactivity. User may have logged out improperly.
Jul 24 20:28:50 1.2.3.4 security[9083]: [foobar@authtype] User foobar logged on from 4.5.6.7 Sid = fd3cf
Jul 24 20:49:42 1.2.3.4 GarbageCollection[16585]: session 'fd3cf63b065a8398d3dc9c501682be70' is expired due to inactivity. User may have logged out improperly.
Can anyone share what the SID is a hash of? Thanks.