Does anyone know how the PHPSESSID is created, or better yet, what parameters PHP uses to create it?

Here is my concern:

I have 3 webservers (through a load balancer)that use sessions. All the session info is stored on one session server which is running MySQL. I originally thought all PHPSESSID's created were unique. I then went through my logs and noticed that PHP reuses some PHPSESSID's. From this I concluded that the REMOTE_HOST of the user has something to do with how the PHPSESSID is created.

My question is since my 3 webservers know nothing of the others' existence, how does the PHP on each of these servers know whether a certain PHPSESSID is currently in use or not? More simply, can I rely on websrv1 creating a PHPSESSID that was not recently created (and still active) by websrv2 or websrv3? Or is it safer to create my own PHPSESSID's with md5 or something?

Any help is appreciated.

    • [deleted]

    • Post #2

    NFS mount your /tmp directory together so that you store the sessions on one server.

      I am storing the sessions on one server, a MySQL server; I wrote my own session handlers to use a MySQL database for session management.

      My table has the PHPSESSID as the primary key. This is the situation that scares me:

      websrv1 starts a session for John with some PHPSESSID and stores it on my MySQL session server. 5 minutes later while John's session is still active, websrv3 starts a session for Mary with the same PHPSESSID as John. Then her data overwrites his until he clicks something that overwrites hers, and the cycle continues.
      ?????Can this happen?????

      If I use session.entropy_file = /dev/urandom in my php.ini file, then random does not guarantee uniqueness. I already know that some PHPSESSID's are being reused.

        Write a Reply...