Is a PHP4 session ID unique forever or only unique in the sense that no two active sessions have the same ID?
Sep 28th, 2001 22:53
Sam Johnston, Liz Lawson,
The uniqueness of the session IDs is only as good as your random number
generator, although presumably PHP checks if a given session exists
before creating a new one. You should not rely on sessions in secure
environments if they have not been generated from truly random data, as
it could be possible to predict a session IDs and therefore hijack
sessions. Unix users should use /dev/[u]random for generating session
IDs. Most recommend /dev/urandom, as unlike /dev/random it will not
block if no data is available, rather using a PRNG to generate more numbers.