Can random numbers be predicted based on microtime?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
WaldoMonster
Forum Contributor
Posts: 225
Joined: Mon Apr 19, 2004 6:19 pm
Contact:

Can random numbers be predicted based on microtime?

Post by WaldoMonster »

Can random numbers be predicted based on microtime?
I ask this because I want to create a session id where the first part is based on microtime.
And the rest is filled up with random characters.
This way I'm 100% shore that never a same session id can be created.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Given the same algorithm use on all results, yes.

Why not use the built-in creation?

So long as the ID is uniform in length there is always the chance of a collision with a previous value. The chances grow smaller and smaller as the permutations grow. However, if it is flawed, mathematically your collision chances go up quickly as does the ability to guess ID's.
User avatar
WaldoMonster
Forum Contributor
Posts: 225
Joined: Mon Apr 19, 2004 6:19 pm
Contact:

Post by WaldoMonster »

feyd wrote:Given the same algorithm use on all results, yes.
Ok.
feyd wrote:Why not use the built-in creation?
I use a database/cookie session, so that I need to create my own id.
Or did you mean uniqid?
feyd wrote:So long as the ID is uniform in length there is always the chance of a collision with a previous value. The chances grow smaller and smaller as the permutations grow. However, if it is flawed, mathematically your collision chances go up quickly as does the ability to guess ID's.
Thanks for the info.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Building your own session manager does not require you to create your own session ID's.

Take a look here: session_set_save_handler()
Post Reply