Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How unique is the php session id

Tags:

php

guid

session

How unique is the php session id? I got the impression from various things that I've read that I should not rely on two users never getting the same sessionid. Isn't it a GUID?

like image 763
Jalov Avatar asked Sep 26 '08 10:09

Jalov

People also ask

Is session ID unique?

A session ID is a unique number that a Web site's server assigns a specific user for the duration of that user's visit (session). The session ID can be stored as a cookie, form field, or URL (Uniform Resource Locator). Some Web servers generate session IDs by simply incrementing static numbers.

How does PHP generate session ID?

The session id is a random value generated when a session is started. The session id is stored as a cookie in the browser such that on subsequent visits the data stored in the session can be loaded and reused. This issue is about the session id (cookie value) and not about the session name (cookie name).

What is PHP session ID?

PHP - session_id() Function Sessions or session handling is a way to make the data available across various pages of a web application. The session_id() function is used to set or retrieve a custom id to the current.

Is session unique for every user?

Besides session hijacking, one session is always tied to just one user.

2 Answers

It's not very unique as shipped. In the default configuration it's the result of a hash of various things including the result of gettimeofday (which isn't terribly unique), but if you're worried, you should configure it to draw some entropy from /dev/urandom, like so

ini_set("session.entropy_file", "/dev/urandom"); ini_set("session.entropy_length", "512");

search for "php_session_create_id" in the code for the actual algorithm they're using.

Edited to add: There's a DFA random-number generator seeded by the pid, mixed with the time in usecs. It's not a firm uniqueness condition especially from a security perspective. Use the entropy config above.

Update:

As of PHP 5.4.0 session.entropy_file defaults to /dev/urandom or /dev/arandom if it is available. In PHP 5.3.0 this directive is left empty by default. PHP Manual

like image 110
djsadinoff Avatar answered Oct 05 '22 05:10

djsadinoff

Session_id can indeed be duplicated, but the probability is very low. If you have a website with a fair traffic, it may happens once in you web site life, and will just annoy one user for one session.

This is not worth to care about unless you expect to build a very high traffic website or a service for the bank industry.

like image 29
e-satis Avatar answered Oct 05 '22 05:10

e-satis
Sign in to Comment

Related questions

How to document magic (_call and _callStatic) methods for IDEs
Can PHP instantiate an object from the name of the class as a string?
Simultaneous Requests to PHP Script
Facebook Graph API, how to get users email?
What is the difference between session_unset() and session_destroy() in PHP?
Fatal error: [] operator not supported for strings
phpunit avoid constructor arguments for mock
PHP - Floating Number Precision [duplicate]
Downloading a large file using curl
How can I run only one test from a suite?
Manually register a user in Laravel
Random number in range [min - max] using PHP
Get custom product attributes in Woocommerce
Laravel validation attributes "nice names"
How to get user agent in PHP
Laravel 5 Application Key
Is there a built-in way to get all of the changed/updated fields in a Doctrine 2 entity
How to get all keys from a array that start with a certain string?
Selecting a css class with xpath
Checking if a variable is an integer in PHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!