The maximum length of a session identifier is 80 characters.

While session identifiers created by the SessionIDManager.CreateSessionID(System.Web.HttpContext) method are 24 characters long, the maximum length of a session identifier allowed by the System.Web.SessionState.SessionIDManager class is 80 characters. This is especially important if you implement a custom System.Web.SessionState.SessionIDManager. The SessionIDManager.GetSessionID(System.Web.HttpContext) method, which retrieves session-identifier values from the current System.Web.HttpRequest, ensures that values do not exceed the SessionIDManager.SessionIDMaxLength value and that the session identifier is a 24-character string containing only the lowercase characters a to z and the numbers 0 to 5 by calling the SessionIDManager.Validate(string) method. If you implement a custom System.Web.SessionState.SessionIDManager class that inherits the System.Web.SessionState.SessionIDManager class and overrides the SessionIDManager.CreateSessionID(System.Web.HttpContext) method but not the SessionIDManager.Validate(string) method, your custom session-identifier values must meet the constraints above. For an example of overriding the System.Web.SessionState.SessionIDManager class and implementing these methods, see the example provided for the SessionIDManager.CreateSessionID(System.Web.HttpContext) method.