Page 1 of 1

Unintentional session id collision?

Posted: Sun Mar 22, 2009 2:49 pm
by Olaf
I did some searching for this elsewhere, but the only answers I can find are about how unlikely it would be.
What I would like to know is if it is possible for PHP to assign to a new session, a session id that is already in use.

For example, Bob goes to a site, and is assigned "32e2de17dc5c15a47c71073d37b1a4ea".
Joe comes on, before Bob's session has expired. If the random number generators and whatever else is involved come up with "32e2de17dc5c15a47c71073d37b1a4ea" as the id to assign to Joe, will it, or is there checks in place to prevent this?

I downloaded php's source code and poked around in it, and was unable to find anything that does these checks, but I could have easily missed something, as large parts of it I didn't understand in the first place.

Oh, and this is all using the built-in session management, not anything custom.

Re: Unintentional session id collision?

Posted: Sun Mar 22, 2009 3:35 pm
by kaisellgren
When the session is initialized, a "random" identifier is generated without checking for existing identifiers. PHP generates a session identifier based on IP address, current time (Epoch) on seconds as well as on micro seconds, and on a value returned by the combined lineral congruential generator. Therefore, it would seem impossible to collide with another session identifier since it is using the time in seconds and that will never collide unless the two persons Bob and Joe happened to login at the very same second (and microsecond). However, PHP will hash this value with either SHA-1 or MD5 by default. This means, you either have 2^128 or 2^160 number of combinations available. Is unintentional session identifier collision possible? Yes. Is it likely? Probability is roughly 1/(2^128) or 0.0000000000000000000000000000000000003% in the worse case.

Re: Unintentional session id collision?

Posted: Sun Mar 22, 2009 4:04 pm
by Olaf
kaisellgren wrote:When the session is initialized, a "random" identifier is generated without checking for existing identifiers.

Is unintentional session identifier collision possible? Yes.
Thank you. This is what I was looking for.
I realize the extremely low probabilities involved. Well, maybe I don't exactly, as they're really too small to comprehend.

Re: Unintentional session id collision?

Posted: Sun Mar 22, 2009 6:54 pm
by Apollo
Olaf wrote:I realize the extremely low probabilities involved. Well, maybe I don't exactly, as they're really too small to comprehend.
Perhaps you can see it this way: the probability is significantly smaller than the world being destroyed tomorrow by freak wave of killer sunrays. I.e. not something to worry about for a single second.

Re: Unintentional session id collision?

Posted: Mon Mar 23, 2009 8:31 pm
by aschlosberg
It's like two people flipping a coin 128 times each and coming up with the same results.

As I'm not sure why you are interested in this I think it's responsible to point out that it is possible for a malicious user to submit another user's session id in their own cookie should they have the means to discover or fix it.

Re: Unintentional session id collision?

Posted: Tue Mar 24, 2009 7:05 am
by kaisellgren
By the way... If you want to prevent this...

Code: Select all

session_regenerate_id();
while (file_exists(ini_get('session.save_path').'/'.session_id())
 session_regenerate_id();
That should do it (not tested).