How unique is the php session id? I got the impression from various things that I've read that I should not rely on two users never getting the same sessionid. Isn't it a GUID?
+2
A:
No, session id is not a GUID, but two users should not get the same session id as they are stored on the server side.
gizmo
2008-09-26 10:50:50
May I ask why I'm beeing down voted?
gizmo
2008-09-26 11:08:01
Possibly because the server-side storage doesn't guarantee uniqueness in any way.Uniqueness is one thing - if there is a collision it will collide regardless of where the session is stored.
Steve Kemp
2008-09-26 11:29:50
Not by me, I appreciate your response (as well as the others). -- Jalov
Jalov
2008-09-26 11:32:45
+3
A:
I have not found a confirmation on this but i believe php checks if a session id already exists before creating one with that id.
The session hijacking issue people are worried about is when someone finds out the session id of an active user. This can be prevented in many ways, for more info on that you can see this page on php.net and this paper on session fixation
Ólafur Waage
2008-09-26 10:53:13
...but if you're just one php server in a bank of several, there's no guarantee that the server has sufficient knowledge to know whether the sesssionID has been used yet.
djsadinoff
2008-09-26 11:03:26
Why would it matter if I got the same session id in 2 different php servers? Assuming 2 different domains, the session cookie is only accessible from each domain...?
daremon
2008-09-26 11:13:20
The easiest way to prevent dupes on a multi-server environment is to store the sessions in memcached via the memcached session handler. problem solved and your users can bounce around diff servers w/o losing their stuff.
hopeseekr
2010-09-03 01:32:01
+2
A:
You can install an alternative hash generation function if you want to customise the way the ID is generated (it's a 128bit number generated via MD5 by default). See http://uk2.php.net/manual/en/session.configuration.php#ini.session.hash-function
For more information on PHP sessions, try this excellent article http://shiflett.org/articles/the-truth-about-sessions which also links to other articles about session fixation and hijack.
Paul Dixon
2008-09-26 11:01:28
+14
A:
It's not very unique by default. By default it's the result of a hash of various things including the result of gettimeofday (which isn't terribly unique), but if you're worried, you should configure it to draw some entropy from /dev/urandom, like so
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");
search for "php_session_create_id" in the code for the actual algorithm they're using.
Edited to add: There's a DFA random-number generator seeded by the pid, mixed with the time in usecs. It's not a firm uniqueness condition especially from a security perspective. Use the entropy config above.
djsadinoff
2008-09-26 11:01:35
Yeah, when I was a contract for a website that had to be ultrasecure against enemy combatants and such, I actually created my own session handler and fed it entropy data directly from random.org. But the reqs of that system were far beyond what most mere mortals deal w/ ;-)
hopeseekr
2010-09-03 01:30:51
+5
A:
Session_id can indeed be duplicated, but the probability is very low. If you have a website with a fair traffic, it may happens once in you web site life, and will just annoy one user for one session.
This is not worth to care about unless you expect to build a very high traffic website or a service for the bank industry.
e-satis
2008-09-26 11:25:54