Unintentional session id collision?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Olaf
Forum Newbie
Posts: 2
Joined: Sun Mar 22, 2009 2:34 pm

Unintentional session id collision?

Post by Olaf »

I did some searching for this elsewhere, but the only answers I can find are about how unlikely it would be.
What I would like to know is if it is possible for PHP to assign to a new session, a session id that is already in use.

For example, Bob goes to a site, and is assigned "32e2de17dc5c15a47c71073d37b1a4ea".
Joe comes on, before Bob's session has expired. If the random number generators and whatever else is involved come up with "32e2de17dc5c15a47c71073d37b1a4ea" as the id to assign to Joe, will it, or is there checks in place to prevent this?

I downloaded php's source code and poked around in it, and was unable to find anything that does these checks, but I could have easily missed something, as large parts of it I didn't understand in the first place.

Oh, and this is all using the built-in session management, not anything custom.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Unintentional session id collision?

Post by kaisellgren »

When the session is initialized, a "random" identifier is generated without checking for existing identifiers. PHP generates a session identifier based on IP address, current time (Epoch) on seconds as well as on micro seconds, and on a value returned by the combined lineral congruential generator. Therefore, it would seem impossible to collide with another session identifier since it is using the time in seconds and that will never collide unless the two persons Bob and Joe happened to login at the very same second (and microsecond). However, PHP will hash this value with either SHA-1 or MD5 by default. This means, you either have 2^128 or 2^160 number of combinations available. Is unintentional session identifier collision possible? Yes. Is it likely? Probability is roughly 1/(2^128) or 0.0000000000000000000000000000000000003% in the worse case.
Olaf
Forum Newbie
Posts: 2
Joined: Sun Mar 22, 2009 2:34 pm

Re: Unintentional session id collision?

Post by Olaf »

kaisellgren wrote:When the session is initialized, a "random" identifier is generated without checking for existing identifiers.

Is unintentional session identifier collision possible? Yes.
Thank you. This is what I was looking for.
I realize the extremely low probabilities involved. Well, maybe I don't exactly, as they're really too small to comprehend.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Unintentional session id collision?

Post by Apollo »

Olaf wrote:I realize the extremely low probabilities involved. Well, maybe I don't exactly, as they're really too small to comprehend.
Perhaps you can see it this way: the probability is significantly smaller than the world being destroyed tomorrow by freak wave of killer sunrays. I.e. not something to worry about for a single second.
aschlosberg
Forum Newbie
Posts: 24
Joined: Fri Jan 23, 2009 10:17 pm

Re: Unintentional session id collision?

Post by aschlosberg »

It's like two people flipping a coin 128 times each and coming up with the same results.

As I'm not sure why you are interested in this I think it's responsible to point out that it is possible for a malicious user to submit another user's session id in their own cookie should they have the means to discover or fix it.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Unintentional session id collision?

Post by kaisellgren »

By the way... If you want to prevent this...

Code: Select all

session_regenerate_id();
while (file_exists(ini_get('session.save_path').'/'.session_id())
 session_regenerate_id();
That should do it (not tested).
Post Reply