---
title: Reference Tokens 128-bit Entropy CSPRNG
impact: HIGH
impactDescription: prevents token brute-forcing
tags: tokens, entropy, csprng, session, security, csharp
---

## Reference Tokens 128-bit Entropy CSPRNG

Generating tokens (session IDs, API keys) must use high entropy.

**Incorrect (using Guid or Random):**

```csharp
var token = Guid.NewGuid().ToString(); // Predictable generation logic, only 122 bits random?
var token2 = new Random().Next().ToString(); // Very weak
```

**Correct (RNGCryptoServiceProvider / RandomNumberGenerator):**

```csharp
using System.Security.Cryptography;

string GenerateToken(int length = 32)
{
    var bytes = new byte[length];
    RandomNumberGenerator.Fill(bytes);
    return Convert.ToBase64String(bytes)
        .Replace("+", "-").Replace("/", "_").Replace("=", ""); // Base64Url
}
```

**Tools:** SonarQube