The default PHP behavior is to use the hash md5
or sha1
of some values obtained at the time of generating the ID:
- Client IP;
- Current time;
- Any random number (can be provided by an OS PRNG, such as
/dev/urandom
).
Is it possible to have a collision? Yes! As is known, both MD5 and SHA1 are unsafe. But the goal is simply to make computationally expensive brute-force attacks. So much so that in the case of PHP, there is no collision treatment.
In case you implement a data structure that targets the quick search of values (such as Hash Table), this is not the best way. One should only consider the data itself in the Hash. Otherwise, you will not be able to recover your data.
The implementation of collision handling is mandatory in most cases, it is up to you to decide which implementations to use. The collision treatment algorithm may or may not be appropriate depending on the nature of the operations to be performed.
Possible Collision Handling in PHP
In the case of PHP, I believe that simply generating a new hash again is enough. This works because although the client's IP remains the same, the random number for sure (well ... hopefully, right?) Will change, and the time will probably change too. So I see no reason to repeat the procedure until a collision does not occur.
I will not discuss the collision in the case of data because I believe it is not the domain of questioning.