faqts : Computers : Programming : Languages : PHP : Common Problems : Sessions and State

+ Search
 Add Entry AlertManage Folder Edit Entry Add page to http://del.icio.us/
Did You Find This Entry Useful?

45 of 49 people (92%) answered Yes
Recently 8 of 10 people (80%) answered Yes

Entry

Is a PHP4 session ID unique forever or only unique in the sense that no two active sessions have the same ID?

Sep 28th, 2001 22:53
Sam Johnston, Liz Lawson, 


The uniqueness of the session IDs is only as good as your random number
generator, although presumably PHP checks if a given session exists
before creating a new one. You should not rely on sessions in secure
environments if they have not been generated from truly random data, as
it could be possible to predict a session IDs and therefore hijack
sessions. Unix users should use /dev/[u]random for generating session
IDs. Most recommend /dev/urandom, as unlike /dev/random it will not
block if no data is available, rather using a PRNG to generate more numbers.