Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the length of a PHP session id string?

Tags:

php

mysql

session

sessionid

I'm making a table in a MySQL database to save some session data, including session_id. What should be the length of the VARCHAR to store the session_id string?

like image 435
Gustavo Avatar asked Sep 03 '12 00:09

Gustavo

People also ask

How long is a session id?

Session identifiers should be at least 128 bits long to prevent brute-force session guessing attacks. The WebLogic deployment descriptor should specify a session identifier length of at least 128 bits. A shorter session identifier leaves the application open to brute-force session guessing attacks.

What is PHP session id?

PHP - session_id() Function Sessions or session handling is a way to make the data available across various pages of a web application. The session_id() function is used to set or retrieve a custom id to the current.

How can I know my session id in PHP?

Before getting a session id you need to start a session and that is done by using: session_start() function. Now that you have started a session you can get a session id by using: session_id().

What is the value of session id?

The session ID enables an ASP.NET application to associate a specific browser with related session data and information on the Web server. Session ID values are transmitted between the browser and the Web server in a cookie, or in the URL if cookieless sessions are specified.

2 Answers

Depends on session.hash_function and session.hash_bits_per_character.

Check out the session_id page for more info.

The higher you set session.hash_bits_per_character the shorter your session_id will become by using more bits per character. The possible values are 4, 5, or 6.

When using sha-1 for hashing (by setting ini_set('session.hash_function', 1) the following session string lengths are produced by the three session.hash_bits_per_character settings:

4 - 40 character string

5 - 32 character string

6 - 27 character string

like image 148
sachleen Avatar answered Sep 23 '22 05:09

sachleen

@sachleen answer isn't full.
More detailed info about session id length is described here.

Summary: 

128-bit digest (MD5)   4 bits/char: 32 char SID     5 bits/char: 26 char SID     6 bits/char: 22 char SID  160-bit digest (SHA-1) 4 bits/char: 40 char SID     5 bits/char: 32 char SID     6 bits/char: 27 char SID

And sample regex to check session id: 

preg_match('/^[a-zA-Z0-9,-]{22,40}$/', $sessionId)
like image 31
Andron Avatar answered Sep 26 '22 05:09

Andron
Sign in to Comment

Related questions

Can anyone give me an example for PHP's CURLFile class?
Can we reload one of the PHP-FPM pool without disturbing others
Private static method vs. static method
How to design a hierarchical role based access control system
What is a line length "soft limit" and how do I interpret this in the PSR-2 convention?
An example of an MVC controller
Set Session variable using javascript in PHP
Zend Form: How do I make it bend to my will?
How can I use var_dump + output buffering without memory errors?
PHP profiling with microtime(): Negative time?
Can I declare that a php function throws an exception?
window.history.pushState refreshing the browser
What's the difference between __construct() and init()
Error 405 (Method Not Allowed) Laravel 5
Laravel Custom Model Methods
Verify receipt for in App purchase
Bool parameter from jQuery Ajax received as literal string "false"/"true" in PHP
How to use HTTP_X_FORWARDED_FOR properly?
Practical Zend_ACL + Zend_Auth implementation and best practices
mysql_real_escape_string VS addslashes

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!