The server in question now has the following settings:
Code: Select all
session.entropy_file = "/dev/urandom";
session.entropy_length = 16Since enabling those, I've been logging some various information upon each page view, just after:
Code: Select all
session_name('їsession name]');
session_start();I found the results surprising. I did a comparison query on results where the a) session IDs match but b) the remote IP does not and c) the cookie value was blank (hinting at, I'm guessing, a new session that was started). The query found about 100 unique instances (out of 82,000+ log entries) where a session ID was used on different IPs. Most of these occurred with IPs that were similar -- all but the last number -- which I take to mean some sort of ISP proxy connection, which does not pose a problem. On at least 20, however, the IPs sharing the same session ID were significantly different. In light of the recent problems, should I be worried about this? I have not encountered any further problems since enabling the entropy settings, but I still wonder about the session problems.
If anyone has any comments or ideas, I'd be glad to hear them. Thanks.