How unique is the php session id

Jalov picture Jalov · Sep 26, 2008 · Viewed 71.8k times · Source

How unique is the php session id? I got the impression from various things that I've read that I should not rely on two users never getting the same sessionid. Isn't it a GUID?

Answer

djsadinoff picture djsadinoff · Sep 26, 2008

It's not very unique as shipped. In the default configuration it's the result of a hash of various things including the result of gettimeofday (which isn't terribly unique), but if you're worried, you should configure it to draw some entropy from /dev/urandom, like so

ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");

search for "php_session_create_id" in the code for the actual algorithm they're using.

Edited to add: There's a DFA random-number generator seeded by the pid, mixed with the time in usecs. It's not a firm uniqueness condition especially from a security perspective. Use the entropy config above.

Update:

As of PHP 5.4.0 session.entropy_file defaults to /dev/urandom or /dev/arandom if it is available. In PHP 5.3.0 this directive is left empty by default. PHP Manual