Best IT Recipes

How unique is the php session id

How unique is the php session id? I got the impression of the different things that I read that I should not rely on two users who never get the same session. Isn't that a GUID?

+83
php guid session
Sep 26 '08 at 10:41
source share
7 answers

Session_id can indeed be duplicated, but the probability is very low. If you have a website with fair traffic, this can happen once in your life on a website and just annoys one user in one session.

This should not be taken care of if you do not plan to create a site with very high traffic or a service for the banking industry.

+30
Sep 26 '08 at 11:25
source share

It is not very unique as shipped. In the default configuration, this is the result of a hash of various things, including the result of gettimeofday (which is not terribly unique), but if you are worried, you should configure it to attract some entropy from / dev / urandom, for example

ini_set("session.entropy_file", "/dev/urandom"); ini_set("session.entropy_length", "512");

find "php_session_create_id" in the code for the actual algorithm that they use.

Edited to add: There, the DFA random number generator seeded by pid mixes up with time in usec. This is not a solid condition for uniqueness, especially from a security point of view . Use the entropy configuration above.

Update:

Starting with PHP 5.4.0, session.entropy_file defaults to / dev / urandom or / dev / arandom if available. In PHP 5.3.0, this directive remains Empty by default. PHP manual

+58
Sep 26 '08 at 11:01
source share

You can set an alternative hash generation function if you want to configure the method of generating the identifier (by default, this is a 128-bit number generated via MD5). See http://www.php.net/manual/en/session.configuration.php#ini.session.hash-function

For more information on PHP sessions, try this excellent article http://shiflett.org/articles/the-truth-about-sessions , which also links to other articles about session fixing and capture.

+11
Sep 26 '08 at 11:01
source share

If you want to know how PHP generates a default session id, check out the Github source code. This, of course, is not random and is based on the hash (default: md5) of these ingredients (see line 310 of the code snippet):

  • Client IP address
  • Current time
  • PHP linear congruence generator - pseudo random number generator (PRNG)
  • OS - specific random source - if the OS has an available random source (e.g. / dev / urandom)

If the OS has a random source, then the strength of the generated identifier for the session identifier is high (/ dev / urandom and other random OS sources are (usually) cryptographically secure PRNGs). If, however, this is not satisfactory.

The purpose of generating session identification is:

  • minimize the probability of generating two session identifiers with the same value
  • make computational the creation of random keys difficult and use one of them.

This is achieved using the PHP approach to session generation.

You cannot absolutely guarantee uniqueness , but the probabilities are so low that they hit the same hash twice, that, generally speaking, there is no need to worry.

+9
Dec 04 '14 at 15:45
source share

Session_id size
Assume that seeion_id is evenly distributed and has a size = 128 bits. Suppose that every person on the planet is registered once a day with a constant session for 1000 years.

 num_sesion_ids = 1000*365.25 *7*10**9 < 2**36 collission_prob < 1 - (1-1/2**82)**(2**36) β‰ˆ 1 - e**-(1/2**46) β‰ˆ 1/2**46

Thus, the probability of one or more collisions is less than one by 70 thousand billion. Therefore, the size of the session_id of 128 bits should be large enough. As mentioned in other comments, session_manager can also verify that the new session_id does not exist yet.

Randomness
Therefore, the big question, in my opinion, is whether session_id: s is generated with good pseudo-randomness. You can never be sure of this, but I would recommend using the well-known and often used standard solution for this purpose (as you probably already did).

Even if collisions are avoided due to verification, randomness and the size of session_id is important, so hackers cannot somehow make qualified guesses and find active session_id: s with high probability.

+5
Jun 13 2018-12-12T00:
source share

I have not found confirmation of this, but I believe php checks to see if a session id already exists before creating it with that id.

The problem with capturing a session that people are worried about is when someone finds out the session ID of the active user. This can be prevented in many ways, for more information about this you can see this page on php.net and this document about session fixation.

+3
Sep 26 '08 at 10:53
source share

No, the session identifier is not a GUID, but two users should not receive the same session identifier, since they are stored on the server side.

+2
Sep 26 '08 at 10:50
source share


More articles:


All Articles