Page 1 of 1
Generated session id collisions possible?
Posted: Thu Jan 18, 2007 7:22 am
by mu-ziq
If I use PHP's native /tmp session management, will PHP check the /tmp folder after every random PHPSESSID generation to make sure it did not just generate a PHPSESSID identical to an existing one?
I realize the chances of two exact session id's being generated are extremely miniscule but I'm wondering if PHP bothers with this check at all or does it rely solely on the low probability of such event ever occuring.
Thanks.
Posted: Thu Jan 18, 2007 7:51 am
by Ollie Saunders
Never heard of a session id collision. I doubt it is possible.
Re: Generated session id collisions possible?
Posted: Fri Jan 19, 2007 4:47 am
by raghavan20
mu-ziq wrote:If I use PHP's native /tmp session management, will PHP check the /tmp folder after every random PHPSESSID generation to make sure it did not just generate a PHPSESSID identical to an existing one?
I realize the chances of two exact session id's being generated are extremely miniscule but I'm wondering if PHP bothers with this check at all or does it rely solely on the low probability of such event ever occuring.
Thanks.
who would bother better than PHP? rely on PHP buddy after all we code using it.
Posted: Fri Jan 19, 2007 6:00 am
by Jenk
AFAIK, yes it does check.
However it is recommended you use your own session storage solution, especially if using a shared host. Still use session_start() et al, but invoke the
session_set_save_handler function, to invoke your own implementation of a session handler to redirect the data to a better location. Your Database, for example.