Page 1 of 1

Session ID assignment problem?

Posted: Mon Oct 06, 2003 6:32 pm
by nullbyte
I'm looking for some information on how PHP assigns session IDs. I've been having some issues that cropped up over a year after a rather large site went live, that seem to indicate that session IDs are being duplicated somehow.

The server in question now has the following settings:

Code: Select all

session.entropy_file = "/dev/urandom";
session.entropy_length = 16
(I should add that the problems occurred before entropy_file was in use.)
Since enabling those, I've been logging some various information upon each page view, just after:

Code: Select all

session_name('їsession name]');
session_start();
and then I log: time(), session_id(), $_SERVER['REMOTE_ADDR'], and $_COOKIE['[session name]']

I found the results surprising. I did a comparison query on results where the a) session IDs match but b) the remote IP does not and c) the cookie value was blank (hinting at, I'm guessing, a new session that was started). The query found about 100 unique instances (out of 82,000+ log entries) where a session ID was used on different IPs. Most of these occurred with IPs that were similar -- all but the last number -- which I take to mean some sort of ISP proxy connection, which does not pose a problem. On at least 20, however, the IPs sharing the same session ID were significantly different. In light of the recent problems, should I be worried about this? I have not encountered any further problems since enabling the entropy settings, but I still wonder about the session problems.

If anyone has any comments or ideas, I'd be glad to hear them. Thanks.

Posted: Mon Oct 06, 2003 6:52 pm
by Paddy
I'm not sure what is going on with yours but I use this to create session ids.

Code: Select all

session_start();
	if (!(isset($_SESSIONї'session'])))
	{
		$_SESSIONї'session'] = md5(uniqid(rand()));
		$session = $_SESSIONї'session'];
	}