PHP Session Ids -- How Are They Generated

PHP session IDs -- how are they generated?

If you want to know how PHP generates a session ID by default check out the source code on Github. It is certainly not random and is based on a hash (default: md5) of these ingredients (see line 310 of code snippet):

  1. IP address of the client
  2. Current time
  3. PHP Linear Congruence Generator - a pseudo random number generator (PRNG)
  4. OS-specific random source - if the OS has a random source available (e.g. /dev/urandom)

If the OS has a random source available then strength of the generated ID for the purpose of being a session ID is high (/dev/urandom and other OS random sources are (usually) cryptographically secure PRNGs). If however it does not then it is satisfactory.

The goal with session identification generation is to:

  1. minimise the probability of generating two session IDs with the same value
  2. make it very challenging computationally to generate random keys and hit an in use one.

This is achieved by PHP's approach to session generation.

You cannot absolutely guarantee uniqueness, but the probabilities are so low of hitting the same hash twice that it is, generally speaking, not worth worrying about.

How unique is the php session id

Session_id can indeed be duplicated, but the probability is very low. If you have a website with a fair traffic, it may happens once in you web site life, and will just annoy one user for one session.

This is not worth to care about unless you expect to build a very high traffic website or a service for the bank industry.

PHP - What happens if I get two equal session id?

It is not very likely or probable that you will generate two equal session ID's. Though of course this will depend on the algorithm that was used to generate the ID's.

If you want to know how, for example PHP, sessions are generated, take a look here: PHP session IDs -- how are they generated?
As you can read, these sessions are not entirely random and ingredients such as the user's IP address and time of issuance are used, limiting who can get the very unlikely equal session ID and when.

Furthermore you can limit an equal session ID to have effect, by limiting the session expiration time, allowed remote IP and domain for its usage.

How do PHP sessions work? (not how are they used?)

In the general situation :

  • the session id is sent to the user when his session is created.
  • it is stored in a cookie (called, by default, PHPSESSID)
  • that cookie is sent by the browser to the server with each request
  • the server (PHP) uses that cookie, containing the session_id, to know which file corresponds to that user.

The data in the sessions files is the content of $_SESSION, serialized (ie, represented as a string -- with a function such as serialize) ; and is un-serialized when the file is loaded by PHP, to populate the $_SESSION array.


Sometimes, the session id is not stored in a cookie, but sent in URLs, too -- but that's quite rare, nowadays.


For more informations, you can take a look at the Session Handling section of the manual, that gives some useful informations.

For instance, there is a page about Passing the Session ID, which explains how the session id is passed from page to page, using a cookie, or in URLs -- and which configuration options affect this.

Understanding PHP Session Entropy

session_id is an hash of the client IP address (32 bits), the current timestamp and microseconds (52 bits), and a value generated from the php combined lcg(), a Psuedo Random Number Generators (PRNG) function (64 bits). The entropy is 148 bits. However, this number should not be considered as an absolute minimum value, as IP address and timestamp are well know from who creates the session.

When an undesirably low amount of entropy is available, it's possible to reconstructing the PRNG's seed from the session id. With the fact that PHP reuses the same entropy sources between different generators, this is even more easier.

The seed is used to generate other pseudorandom values, so if the attacker can obtain the seed value he can predict all the future output (including, but not only, mt_rand() and rand). That's not good.

session.entropy_length is the number of bytes which will be read from the entropy file, usually /dev/urandom or /dev/arandom (from documentation).

If you provide a random source like /dev/random, then the entropy is greater, and the strength of the generated session_id is stronger.

PHP Session ID uniqueness - When shared across multiple headends

Its very rare, but yes, it can happen...
i would suggest using cookies and not sessions, less server load and this wont happen.

http://forge.typo3.org/issues/37780

are PHP auto-generated Session ID's locked on IP address?

No, they definitely aren't "locked" to the IP address. For many users that wouldn't work as their web traffic goes through proxies and such so their IP address may be different to the server for each separate request.


Related Topics

Error Building:Fatal Error: Pcre.H: No Such File or Directory

PHP Remove Elements from Associative Array

Best Way to Internationalize Simple PHP Website

Which Method Is Preferred Strstr or Strpos

Install PHP70-Gd on Ubuntu

Finding Free Blocks of Time in MySQL and PHP

Add a Quantity Field to Ajax Add to Cart Button on Woocommerce Shop Page

How to Run Abc.Exe Using PHP

Dynamic Comparison Operators in PHP

How to Use Authentication for Multiple Tables in Laravel 5

How to Select Rows Where Column Value Is Not Null Using Codeigniter's Activerecord

Php: Catch Exception and Continue Execution, Is It Possible

Can't Execute PHP Script Using PHP Exec

How to Declare a Method Static and Nonstatic in PHP

Eloquent Model Mass Update

PHP Array VS [ ] in Method and Variable Declaration

How to Store Birthdate and Age So That Age Can Be Updated Daily in PHP/Mysql

PHP - Listing All Directories and Sub-Directories Recursively in Drop Down Menu


Leave a reply



Submit