I did some searching for this elsewhere, but the only answers I can find are about how unlikely it would be.
What I would like to know is if it is possible for PHP to assign to a new session, a session id that is already in use.
For example, Bob goes to a site, and is assigned "32e2de17dc5c15a47c71073d37b1a4ea".
Joe comes on, before Bob's session has expired. If the random number generators and whatever else is involved come up with "32e2de17dc5c15a47c71073d37b1a4ea" as the id to assign to Joe, will it, or is there checks in place to prevent this?
I downloaded php's source code and poked around in it, and was unable to find anything that does these checks, but I could have easily missed something, as large parts of it I didn't understand in the first place.
Oh, and this is all using the built-in session management, not anything custom.
Unintentional session id collision?
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Unintentional session id collision?
When the session is initialized, a "random" identifier is generated without checking for existing identifiers. PHP generates a session identifier based on IP address, current time (Epoch) on seconds as well as on micro seconds, and on a value returned by the combined lineral congruential generator. Therefore, it would seem impossible to collide with another session identifier since it is using the time in seconds and that will never collide unless the two persons Bob and Joe happened to login at the very same second (and microsecond). However, PHP will hash this value with either SHA-1 or MD5 by default. This means, you either have 2^128 or 2^160 number of combinations available. Is unintentional session identifier collision possible? Yes. Is it likely? Probability is roughly 1/(2^128) or 0.0000000000000000000000000000000000003% in the worse case.
Re: Unintentional session id collision?
Thank you. This is what I was looking for.kaisellgren wrote:When the session is initialized, a "random" identifier is generated without checking for existing identifiers.
Is unintentional session identifier collision possible? Yes.
I realize the extremely low probabilities involved. Well, maybe I don't exactly, as they're really too small to comprehend.
Re: Unintentional session id collision?
Perhaps you can see it this way: the probability is significantly smaller than the world being destroyed tomorrow by freak wave of killer sunrays. I.e. not something to worry about for a single second.Olaf wrote:I realize the extremely low probabilities involved. Well, maybe I don't exactly, as they're really too small to comprehend.
-
aschlosberg
- Forum Newbie
- Posts: 24
- Joined: Fri Jan 23, 2009 10:17 pm
Re: Unintentional session id collision?
It's like two people flipping a coin 128 times each and coming up with the same results.
As I'm not sure why you are interested in this I think it's responsible to point out that it is possible for a malicious user to submit another user's session id in their own cookie should they have the means to discover or fix it.
As I'm not sure why you are interested in this I think it's responsible to point out that it is possible for a malicious user to submit another user's session id in their own cookie should they have the means to discover or fix it.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Unintentional session id collision?
By the way... If you want to prevent this...
That should do it (not tested).
Code: Select all
session_regenerate_id();
while (file_exists(ini_get('session.save_path').'/'.session_id())
session_regenerate_id();