Session ID Generator
Mint high-entropy session tokens with crypto.getRandomValues. Pick hex, base64, base64url or alphanumeric encoding, custom length, optional prefix and batch sizes. Strength meter included. Free and 100% private.
What is the Session ID Generator?
Session ID Generator mints cryptographically-strong random tokens you can use as session identifiers, auth cookies, magic-link tokens, password-reset codes or any other place you need a hard-to-guess identifier. Every byte of entropy comes from `crypto.getRandomValues` — the WebCrypto cryptographically-strong RNG — chunked through the typed-array in 64 KB blocks so it respects the per-call API limit. Four output encodings: hexadecimal (widest compatibility, 2 chars per byte), Base64 (4 chars per 3 bytes), Base64 URL-safe (drops +/= for cookie / URL safety) and an Alphanumeric mode that uses rejection sampling to avoid modulo bias. A live strength meter shows the effective bits of entropy and ranks the configuration as weak / OK / strong / overkill based on common 80 / 128 / 256-bit thresholds. Generate a single token or up to 500 at once, with an optional prefix (`sess_`, `tok_` …). Nothing leaves the browser.
How to use it
- Pick an encoding — hex / base64 / base64url / alphanumeric.
- Set the desired token length in characters and how many tokens to mint.
- Optionally add a prefix like `sess_`.
- Click Regenerate, copy individual tokens or download the whole batch as .txt.
Benefits
- crypto.getRandomValues for cryptographically-strong randomness — chunked in 64 KB blocks.
- Four encodings (hex / base64 / base64url / alphanumeric) covering every common cookie/URL need.
- Alphanumeric mode uses rejection sampling so the character distribution is uniform (no modulo bias).
- Live entropy meter ranks strength as weak / OK / strong / overkill against 80 / 128 / 256-bit thresholds.
- Batch sizes 1–500 in a single click, with downloadable .txt export.
- Optional prefix and per-token copy buttons.
- Persists last settings in localStorage for one-click resume.
- Runs 100% in your browser — tokens are never sent to a server.
Frequently asked questions
Are these tokens truly random?
Yes — every byte comes from `crypto.getRandomValues`, the WebCrypto cryptographically-strong RNG seeded from the OS entropy pool. They're suitable for production session IDs, magic links and password-reset tokens.
What's the difference between Base64 and Base64URL?
Standard Base64 uses + and / characters and = for padding — all of which can mean trouble in URLs and cookies. Base64URL replaces + with -, / with _ and drops the = padding so the token is safe to put in URLs and cookie names without any encoding.
Why does the alphanumeric mode use 'rejection sampling'?
If you took a random byte (0-255) and did `byte % 62` you'd over-represent the first 8 characters of the alphabet because 256 isn't a multiple of 62. We reject bytes ≥ 248 and only use the rest, so every character has exactly 1/62 probability.
What's a 'good' token length?
For session cookies, 128 bits of entropy is the consensus minimum and 256 bits is the standard for serious deployments. Hex needs 32 / 64 characters; Base64URL needs 22 / 43; alphanumeric needs ~22 / 43 — the strength meter shows you live.
Can I use these as API keys?
Yes, but our API Key Generator is purpose-built with prefix, segmented blocks and checksum support — better suited for keys that humans paste around.
Can I generate millions of tokens?
Each click mints up to 500. For more, click Regenerate again — there's no rate limit because everything's local. A 500-token batch of 32-char tokens takes a few milliseconds.
How does the strength meter calculate bits?
Bits = `floor(length × log2(alphabet_size))`. Hex's alphabet is 16 chars (4 bits/char); base64 / base64url have 64 chars (6 bits/char); alphanumeric has 62 chars (~5.95 bits/char).
Is Math.random ever used?
Only as a last-resort fallback if `crypto.getRandomValues` is somehow unavailable — which would only happen in an extremely old browser. In practice every modern browser supports it.
Are my tokens stored?
Only your last settings persist (encoding, length, prefix, count). The generated tokens themselves live only in the page state — refresh and they're gone.
Why is there a Cookie icon?
Session IDs are most commonly stored in HTTP cookies — the icon is a nod to that. The tool works just as well for any random-token use case.
Is anything uploaded?
No. Token minting, the strength calculation and the entropy estimation all run in your browser. Toollyz has no backend.