How unique is the php session id

php session guid
Jalov picture Jalov · Sep 26, 2008 · Viewed 71.8k times · Source

How unique is the php session id? I got the impression from various things that I've read that I should not rely on two users never getting the same sessionid. Isn't it a GUID?

Answer

djsadinoff picture djsadinoff · Sep 26, 2008

It's not very unique as shipped. In the default configuration it's the result of a hash of various things including the result of gettimeofday (which isn't terribly unique), but if you're worried, you should configure it to draw some entropy from /dev/urandom, like so

ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");

search for "php_session_create_id" in the code for the actual algorithm they're using.

Edited to add: There's a DFA random-number generator seeded by the pid, mixed with the time in usecs. It's not a firm uniqueness condition especially from a security perspective. Use the entropy config above.

Update:

As of PHP 5.4.0 session.entropy_file defaults to /dev/urandom or /dev/arandom if it is available. In PHP 5.3.0 this directive is left empty by default. PHP Manual

Related questions

How do I expire a PHP session after 30 minutes?

I need to keep a session alive for 30 minutes and then destroy it.

Read More
PHP Pass variable to next page

It seems pretty simple but I can't find a good way to do it. Say in the first page I create a variable $myVariable = "Some text"; And the form's action for that page is "Page2.php". So in Page2.php, …

Read More
"Cannot send session cache limiter - headers already sent"

Having a problem with sessions which is becoming very annoying. Every time I try to start a session on a particular page I get the following error: Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already …

Read More