How unique is the php session id
Session_id can indeed be duplicated, but the probability is very low. If you have a website with a fair traffic, it may happens once in you web site life, and will just annoy one user for one session.
This is not worth to care about unless you expect to build a very high traffic website or a service for the bank industry.
How unique is the session ID in Laravel?
Session ID is pretty unique, it can be duplicated, but the probability is very low. If you have a website with a fair traffic, it may happens once in you web site life, and will just annoy one user for one session. This is not worth to care about unless you expect to build a very high traffic website.
Creating a session with a unique ID for 1 hour - PHP
If you want a random ID to be attached to a session that refreshes after one hour, simply store the time it was last generated with the session.
For example:
session_start();
function regenerate() {
$_SESSION['code'] = uniqid();
$_SESSION['code_time'] = time();
}
if (empty($_SESSION['code']) || time() - $_SESSION['code_time'] > 3600)
//if there's no code, or the code has expired
regenerate();
echo "Your code is " . $_SESSION['code'] . " it was generated on " . date('m/d/Y h:i:s a', $_SESSION['code_time']);
PHP session IDs -- how are they generated?
If you want to know how PHP generates a session ID by default check out the source code on Github. It is certainly not random and is based on a hash (default: md5) of these ingredients (see line 310 of code snippet):
- IP address of the client
- Current time
- PHP Linear Congruence Generator - a pseudo random number generator (PRNG)
- OS-specific random source - if the OS has a random source available (e.g. /dev/urandom)
If the OS has a random source available then strength of the generated ID for the purpose of being a session ID is high (/dev/urandom and other OS random sources are (usually) cryptographically secure PRNGs). If however it does not then it is satisfactory.
The goal with session identification generation is to:
- minimise the probability of generating two session IDs with the same value
- make it very challenging computationally to generate random keys and hit an in use one.
This is achieved by PHP's approach to session generation.
You cannot absolutely guarantee uniqueness, but the probabilities are so low of hitting the same hash twice that it is, generally speaking, not worth worrying about.
PHP Session ID uniqueness (for use in a cookie)
Append current time in microsecond to the unique id...
session_id() + microtime();
So not only would the session_ids have to be the same, it would have to happen on the same microsecond... making the vanishingly unlikely just about impossible. The only way to guarantee it 100% is to check this random value against all existing session ids and re-roll it if it already exists.
Session for every user unique or do I have to set it myself? If so how?
A session is always unique to one visitor. session_start generates a random session id, which it puts in a cookie, which only your current visitor will receive. On the next request, that cookie with the unique session id is picked up on by session_start and the session is resumed.
However, this by itself won't tell you which of your user accounts specifically the session belongs to. You'll have to record that information yourself. E.g.:
if (/* login successful */) {
session_start();
$_SESSION['user_id'] = $loggedInUserId;
}
How to generate a unique session ID in php
I've achieved this system by using an OAuth type flow but we replaced the Consumer with the User.
So each domain would have the authenticated Access_Token in its own session.
You would then use that Access_Token to get information about user from an api.
I also solved the session problem using session_set_save_handler and storing sessions in a database table... This table would have the Access_Token also, making it really easy to find the session with a DB Query.
Hope this helps with ideas.
Sessions in PHP and login confusion
to clear your confusion I will go point by point
So a new session should be created now, right? Why do we include session_start() in the beginning of login.php then?
We include session_start() because it says PHP to start session then and then you can store any information in $_SESSION, so session_start() is necessary
But on the server side, how will USER A's request be linked with USER A's details in the db and how will USER B's request be linked with USER B's details in the db ?
When user login's we store user's (unique) information in $_SESSION.
For example if USER A is logged in than I will get his ID from db and store it in $_SESSION['uid'] and other info if needed.
Then when I want other information of USER A on any page I will just get his ID from $_SESSION and make query according to this.
I hope this will clear your confusion.
Related Topics
Isset() and Empty() - What to Use
Sending Email Via PHP Mail Function Goes to Spam
Forcing a Simplexml Object to a String, Regardless of Context
PHP Echo VS PHP Short Echo Tags
Why Is MySQLi Giving a "Commands Out of Sync" Error
PHP Error: Fatal Error: Constant Expression Contains Invalid Operations
How to Stop People Hacking the PHP-Based Highscore Table of a Flash Game
List of All Locales and Their Short Codes
Remove New Lines from String and Replace With One Empty Space
Convert Flat Array to a Delimited String to Be Saved in the Database
Simultaneous Requests to PHP Script
PHP Reading Shell_Exec Live Output
Simple PHP Post-redirect-get Code Example
PHP - Get Bool to Echo False When False
Using Jquery Ajax to Retrieve Data from MySQL
Get the Client Ip Address Using PHP
Are Arrays in PHP Copied as Value or as Reference to New Variables, and When Passed to Functions
Http Requests With File_Get_Contents, Getting the Response Code