PHP session IDs -- how are they generated?
If you want to know how PHP generates a session ID by default check out the source code on Github. It is certainly not random and is based on a hash (default: md5) of these ingredients (see line 310 of code snippet):
- IP address of the client
- Current time
- PHP Linear Congruence Generator - a pseudo random number generator (PRNG)
- OS-specific random source - if the OS has a random source available (e.g. /dev/urandom)
If the OS has a random source available then strength of the generated ID for the purpose of being a session ID is high (/dev/urandom and other OS random sources are (usually) cryptographically secure PRNGs). If however it does not then it is satisfactory.
The goal with session identification generation is to:
- minimise the probability of generating two session IDs with the same value
- make it very challenging computationally to generate random keys and hit an in use one.
This is achieved by PHP's approach to session generation.
You cannot absolutely guarantee uniqueness, but the probabilities are so low of hitting the same hash twice that it is, generally speaking, not worth worrying about.
How unique is the php session id
Session_id can indeed be duplicated, but the probability is very low. If you have a website with a fair traffic, it may happens once in you web site life, and will just annoy one user for one session.
This is not worth to care about unless you expect to build a very high traffic website or a service for the bank industry.
PHP - What happens if I get two equal session id?
It is not very likely or probable that you will generate two equal session ID's. Though of course this will depend on the algorithm that was used to generate the ID's.
If you want to know how, for example PHP, sessions are generated, take a look here: PHP session IDs -- how are they generated?
As you can read, these sessions are not entirely random and ingredients such as the user's IP address and time of issuance are used, limiting who can get the very unlikely equal session ID and when.
Furthermore you can limit an equal session ID to have effect, by limiting the session expiration time, allowed remote IP and domain for its usage.
How do PHP sessions work? (not how are they used?)
In the general situation :
- the session id is sent to the user when his session is created.
- it is stored in a cookie (called, by default,
PHPSESSID
) - that cookie is sent by the browser to the server with each request
- the server (PHP) uses that cookie, containing the session_id, to know which file corresponds to that user.
The data in the sessions files is the content of $_SESSION
, serialized (ie, represented as a string -- with a function such as serialize) ; and is un-serialized when the file is loaded by PHP, to populate the $_SESSION
array.
Sometimes, the session id is not stored in a cookie, but sent in URLs, too -- but that's quite rare, nowadays.
For more informations, you can take a look at the Session Handling section of the manual, that gives some useful informations.
For instance, there is a page about Passing the Session ID, which explains how the session id is passed from page to page, using a cookie, or in URLs -- and which configuration options affect this.
Understanding PHP Session Entropy
session_id
is an hash of the client IP address (32 bits), the current timestamp and microseconds (52 bits), and a value generated from the php combined lcg()
, a Psuedo Random Number Generators (PRNG) function (64 bits). The entropy is 148 bits. However, this number should not be considered as an absolute minimum value, as IP address and timestamp are well know from who creates the session.
When an undesirably low amount of entropy is available, it's possible to reconstructing the PRNG's seed from the session id. With the fact that PHP reuses the same entropy sources between different generators, this is even more easier.
The seed is used to generate other pseudorandom values, so if the attacker can obtain the seed value he can predict all the future output (including, but not only, mt_rand()
and rand
). That's not good.
session.entropy_length
is the number of bytes which will be read from the entropy file, usually /dev/urandom
or /dev/arandom
(from documentation).
If you provide a random source like /dev/random
, then the entropy is greater, and the strength of the generated session_id
is stronger.
PHP Session ID uniqueness - When shared across multiple headends
Its very rare, but yes, it can happen...
i would suggest using cookies and not sessions, less server load and this wont happen.
http://forge.typo3.org/issues/37780
are PHP auto-generated Session ID's locked on IP address?
No, they definitely aren't "locked" to the IP address. For many users that wouldn't work as their web traffic goes through proxies and such so their IP address may be different to the server for each separate request.
Related Topics
Error Building:Fatal Error: Pcre.H: No Such File or Directory
PHP Remove Elements from Associative Array
Best Way to Internationalize Simple PHP Website
Which Method Is Preferred Strstr or Strpos
Finding Free Blocks of Time in MySQL and PHP
Add a Quantity Field to Ajax Add to Cart Button on Woocommerce Shop Page
Dynamic Comparison Operators in PHP
How to Use Authentication for Multiple Tables in Laravel 5
How to Select Rows Where Column Value Is Not Null Using Codeigniter's Activerecord
Php: Catch Exception and Continue Execution, Is It Possible
Can't Execute PHP Script Using PHP Exec
How to Declare a Method Static and Nonstatic in PHP
PHP Array VS [ ] in Method and Variable Declaration
How to Store Birthdate and Age So That Age Can Be Updated Daily in PHP/Mysql
PHP - Listing All Directories and Sub-Directories Recursively in Drop Down Menu