How does php guarantee a single session_id?

5

What algorithm is used to guarantee a single session_id() ? I would like to know how to create and verify to ensure that such an ID does not collide with an existing one?

I need to create some hashes , but I'm afraid that one hour two or more entries might create the same hash.

    
asked by anonymous 04.04.2015 / 19:45

3 answers

2

The default PHP behavior is to use the hash md5 or sha1 of some values obtained at the time of generating the ID:

  • Client IP;
  • Current time;
  • Any random number (can be provided by an OS PRNG, such as /dev/urandom ).

Is it possible to have a collision? Yes! As is known, both MD5 and SHA1 are unsafe. But the goal is simply to make computationally expensive brute-force attacks. So much so that in the case of PHP, there is no collision treatment.

In case you implement a data structure that targets the quick search of values (such as Hash Table), this is not the best way. One should only consider the data itself in the Hash. Otherwise, you will not be able to recover your data.

The implementation of collision handling is mandatory in most cases, it is up to you to decide which implementations to use. The collision treatment algorithm may or may not be appropriate depending on the nature of the operations to be performed.

Possible Collision Handling in PHP

In the case of PHP, I believe that simply generating a new hash again is enough. This works because although the client's IP remains the same, the random number for sure (well ... hopefully, right?) Will change, and the time will probably change too. So I see no reason to repeat the procedure until a collision does not occur.

I will not discuss the collision in the case of data because I believe it is not the domain of questioning.

    
04.04.2015 / 20:04
2

To see how the handle is generated, simply look in the code , it is basically based on MD5 by default, but can be SHA1 or another.

Other ingredients:

  • Client IP address - L298 .
  • Current time -

    L300

  • A random number generator - PRNG - L349
    • If the operating system has a specific operating system random source, it is used, for example /dev/urandom - L815
04.04.2015 / 20:03
2

I usually use the user's IP ( $_SERVER["REMOTE_ADDR"] ) with the timestamp in seconds from the moment of the session creation using the

04.04.2015 / 20:00