1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 8:18 pm May 1, 2026

Forum Moderators: coopster

Message Too Old, No Replies

How are PHP session IDs generated?

What are the chances of one duplicating?

         

ffoeg

8:39 am on Feb 27, 2008 (gmt 0)

10+ Year Member



Well, I suppose the question pretty much sums up what this post is about.

Basically, all I would like to know is how PHP actually generates a session ID, and what the chances of a duplicate session ID being generated.

Thanks :)
*G

phparion

9:36 am on Feb 27, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



The uniqueness of the session IDs is only as good as your random number
generator, although presumably PHP checks if a given session exists
before creating a new one. You should not rely on sessions in secure
environments if they have not been generated from truly random data, as
it could be possible to predict a session IDs and therefore hijack
sessions. Unix users should use /dev/[u]random for generating session
IDs. Most recommend /dev/urandom, as unlike /dev/random it will not
block if no data is available, rather using a PRNG to generate more numbers.

phparion

9:37 am on Feb 27, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



a good method to get unique ids might be

md5(uniqid(microtime()) . $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);

ffoeg

12:21 pm on Feb 27, 2008 (gmt 0)

10+ Year Member



Thanks. But what if I wasn't generating the ID myself? What if I'm using the built-in PHP session ID generator; the standard one that generates a session ID when session_start() is called?

I'm not worried about security, as there is no sensitive data being stored.

henry0

12:56 pm on Feb 27, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



A few things you could look at

An article about session fixation [en.wikipedia.org]

And session regenerate ID from the
manual [us2.php.net]

this should address some of your concerns

Achernar

1:03 pm on Feb 27, 2008 (gmt 0)

10+ Year Member Top Contributors Of The Month



I don't think there is a possibility of session ID collision in PHP.

From the PHP documentation:

"A visitor accessing your web site is assigned an unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL."

kortando

5:48 pm on Mar 23, 2008 (gmt 0)

10+ Year Member



kurna faja, phparion - May be yours method is unique, but it is very simple to guess it.. so it isn't secure.

In all probability, SID should be more secure than unique, because the possiblity of collisions is very hard to make it.
So, i think more secure Yes - like You told before (/dev/random), but unique SID is a problem witch doesn't not exists, so we don't care.

Of course if we talking about simple web service, not about military bomb sender:P

henry0

6:18 pm on Mar 23, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Kortando, Welcome to WebmasterWorld!
you should not be able to guess/match
a session that is generated with a combo of:
$_SERVER['HTTP_USER_AGENT'] salted with your own hard to match $str and boiled down to a perfect md5 :)

pass it around

the same user from the same user agent using the same string will right away exit() if a session is stollen

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 8:18 pm May 1, 2026