PHP session IDs — how are they generated? [duplicate]

by

If you want to know how PHP generates a session ID by default check out the source code on Github. It is certainly not random and is based on a hash (default: md5) of these ingredients (see line 310 of code snippet):

  1. IP address of the client
  2. Current time
  3. PHP Linear Congruence Generator – a pseudo random number generator (PRNG)
  4. OS-specific random source – if the OS has a random source available (e.g. /dev/urandom)

If the OS has a random source available then strength of the generated ID for the purpose of being a session ID is high (/dev/urandom and other OS random sources are (usually) cryptographically secure PRNGs). If however it does not then it is satisfactory.

The goal with session identification generation is to:

  1. minimise the probability of generating two session IDs with the same value
  2. make it very challenging computationally to generate random keys and hit an in use one.

This is achieved by PHP’s approach to session generation.

You cannot absolutely guarantee uniqueness, but the probabilities are so low of hitting the same hash twice that it is, generally speaking, not worth worrying about.

More Related Contents:

  1. How do I expire a PHP session after 30 minutes?
  2. Allow php sessions to carry over to subdomains
  3. PHP session without cookies
  4. Cookies vs. sessions
  5. PHP – Session destroy after closing browser
  6. PHP Sessions with disabled cookies, does it work?
  7. What is the difference between Sessions and Cookies in PHP?
  8. How to destroy the session cookie correctly with PHP?
  9. CakePHP remember me with Auth
  10. Cookies vs. sessions in PHP
  11. PHP authentication with multiple domains and subdomains
  12. PHP session seemingly not working
  13. Setting a cookie in an AJAX request?
  14. how to unset cookie in PHP?
  15. How to send cookies with file_get_contents
  16. How to change the session timeout in PHP?
  17. how to get the cookies from a php curl into a variable
  18. PHP Session timeout
  19. Set a cookie to never expire
  20. How long will my session last?
  21. how to delete all cookies of my website in php
  22. PHP Session Hijacking
  23. How to prevent PHP sessions being shared between different apache vhosts?
  24. PHP Curl – Cookies problem
  25. PHP & Sessions: Is there any way to disable PHP session locking?
  26. How to set session timeout in Laravel?
  27. How can I set a cookie and then redirect in PHP?
  28. How to get cookie’s expire time
  29. How to properly handle session and access token with Facebook PHP SDK 3.0?
  30. PHP How can I create multiple sessions?

Leave a Comment