[RESOLVED] PHP Session IDs: How random and how unique?

cbj4074

I'm trying to guage just how effective PHP's session ID generation routines are and if it's worth any additional effort to further "randomize" session IDs.

I can't find anywhere in the PHP 5 manual that explicitly states how PHP generates session IDs, internally.

I've read sites like this one (http://www.troubleshooters.com/codecorn/php/persist.htm#Generating_Session_IDs) wherein the authors talk about using some custom session ID creation techniques to increase security and reduce the likelihood of duplicate session IDs.

For those of you who have likely toiled over this before, what were your findings? Is the default session ID generation good enough?

Thanks for any insights...

crazychris

session id's are based on the server and time (from memory of research done years ago) and are very unique, similar to md5() uniqueness. Collision between sessions is rare, and I have never heard of it happening.

Why do you need them to be more unique?? You can make the content unique and compare on usage, saving the ip, browser and other data into the session and comparing to the present config and throwing an error if they do not match. This will reduce the likelyhood of a session hijack quite a bit...

Weedpacket

http://www.phpbuilder.com/board/showthread.php?t=10281931&highlight=random+unique+session