How unique is the php session id

by

It’s not very unique as shipped. In the default configuration it’s the result of a hash of various things including the result of gettimeofday (which isn’t terribly unique), but if you’re worried, you should configure it to draw some entropy from /dev/urandom, like so

ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");

search for “php_session_create_id” in the code for the actual algorithm they’re using.

Edited to add:
There’s a DFA random-number generator seeded by the pid, mixed with the time in usecs. It’s not a firm uniqueness condition especially from a security perspective. Use the entropy config above.

Update:

As of PHP 5.4.0 session.entropy_file defaults to /dev/urandom or
/dev/arandom if it is available. In PHP 5.3.0 this directive is left
empty by default. PHP Manual

More Related Contents:

  1. how can I print multiple services in this way
  2. PHP session variable issue while using iframe
  3. Undefined index $_POST
  4. How do I expire a PHP session after 30 minutes?
  5. PHP Pass variable to next page
  6. Using sessions & session variables in a PHP Login Script
  7. cleanup php session files
  8. Session lost when switching from HTTP to HTTPS in PHP
  9. Laravel – Session store not set on request
  10. Session data lost in Chrome only
  11. Array as session variable
  12. How to remove a variable from a PHP session array
  13. Truly destroying a PHP Session?
  14. PHP Sessions with disabled cookies, does it work?
  15. How to kill a/all php sessions?
  16. PHP alternative to session_is_registered
  17. Can I use array_push on a SESSION array in php?
  18. When do I have to declare session_start();?
  19. how to pass value from one php page to another using session
  20. I cannot use mysql_* functions after upgrading PHP
  21. Codeigniter session is not working on PHP 7
  22. Is it secure to store a password in a session? [duplicate]
  23. Is my understanding of PHP sessions correct?
  24. Do AJAX requests retain PHP Session info?
  25. Undefined index with PHP sessions
  26. Submit Multiple Forms With One Button
  27. When and where should I use session_start?
  28. How do check if a PHP session is empty? [duplicate]
  29. PHP session seemingly not working
  30. How to send cookies with file_get_contents

Leave a Comment