How PHP Session ID is proved to be unique?

**Erwin Moller** · Jun 23 '07, 11:05 AM

Re: How PHP Session ID is proved to be unique?

howa wrote:

For example, if two hosts arrive a server at the same time
(microtime), and using the same IP via NAT, and may be even lucky
enough to have the same random number
>
How PHP make them to use different session ID?
>
or in fact PHP session is not 100% safe enought?
>
thanks.

Hi Howa,

As fas as I know PHP doesn't take precautions for that.
A typical sessionid consists of 31 or so characters, ranging from:
0-9 and a-z: that is 37 possibilities per character.

So you'll end up with 37^31

You might very well find that the chances of accidentically creating the
same sessionid are equal to the chance you win the lottery 100 times in a
row, without ever buying a ticket, but finding them on the street.

So as far as I can see: there is no need to worry.

Regards,
Erwin Moller

PS: I don't think the IP address is of importance when creating a sessionid.

**howa** · Jun 23 '07, 01:25 PM

Re: How PHP Session ID is proved to be unique?

it is not a problem of easy or difficult, but a chance ...

consider you put money in bank and if other might take your session,
even the probability is 0.00000001%, we still want to avoid it....

or we need to find a better method to assign the session id, e.g. keep
track of the session id in database

On 6 23 , 7 03 , Erwin Moller
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

howa wrote:

For example, if two hosts arrive a server at the same time
(microtime), and using the same IP via NAT, and may be even lucky
enough to have the same random number

>

How PHP make them to use different session ID?

>

or in fact PHP session is not 100% safe enought?

>

thanks.

>
Hi Howa,
>
As fas as I know PHP doesn't take precautions for that.
A typical sessionid consists of 31 or so characters, ranging from:
0-9 and a-z: that is 37 possibilities per character.
>
So you'll end up with 37^31
>
You might very well find that the chances of accidentically creating the
same sessionid are equal to the chance you win the lottery 100 times in a
row, without ever buying a ticket, but finding them on the street.
>
So as far as I can see: there is no need to worry.
>
Regards,
Erwin Moller
>
PS: I don't think the IP address is of importance when creating a sessionid.

**David T. Ashley** · Jun 23 '07, 03:45 PM

Re: How PHP Session ID is proved to be unique?

I've never used the PHP sessions (my code assigns its own session IDs).

The particular approach I use to ensure uniqueness is to concatenate time,
microtime, and PID, and then to spinlock until the microtime changes. This
works because no two processes can have the same PID at the same time.

As Herr Moller pointed out, IP isn't directly involved in session ID.
However, when a session is opened on my systems, there is some server-side
state held to remember the session and related data, including the IP. If
there is another connection made using the same session ID from a different
IP, the software assumes that it is a forgery, kills the session(s)
involved, and writes alarming things in the logfiles.

I don't know what security best practices are for sessions, but I think if
the IP changes during a session it would be unusual.

Dave.

"howa" <howachen@gmail .comwrote in message
news:1182604503 .403288.39290@e 9g2000prf.googl egroups.com...

it is not a problem of easy or difficult, but a chance ...
>
consider you put money in bank and if other might take your session,
even the probability is 0.00000001%, we still want to avoid it....
>
or we need to find a better method to assign the session id, e.g. keep
track of the session id in database
>
>
On 6 23 , 7 03 , Erwin Moller
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

>howa wrote:

For example, if two hosts arrive a server at the same time
(microtime), and using the same IP via NAT, and may be even lucky
enough to have the same random number

>>

How PHP make them to use different session ID?

>>

or in fact PHP session is not 100% safe enought?

>>

thanks.

>>
>Hi Howa,
>>
>As fas as I know PHP doesn't take precautions for that.
>A typical sessionid consists of 31 or so characters, ranging from:
>0-9 and a-z: that is 37 possibilities per character.
>>
>So you'll end up with 37^31
>>
>You might very well find that the chances of accidentically creating the
>same sessionid are equal to the chance you win the lottery 100 times in a
>row, without ever buying a ticket, but finding them on the street.
>>
>So as far as I can see: there is no need to worry.
>>
>Regards,
>Erwin Moller
>>
>PS: I don't think the IP address is of importance when creating a
>sessionid.

>
>

**howa** · Jun 23 '07, 04:15 PM

Re: How PHP Session ID is proved to be unique?

On 6 23 , 11 35 , "David T. Ashley" <d...@e3ft.comw rote:

The particular approach I use to ensure uniqueness is to concatenate time,
microtime, and PID, and then to spinlock until the microtime changes. This
works because no two processes can have the same PID at the same time.

yes, your method seem more reliable than PHP implementation. ..
but will it work on multi-thread web server, e.g. apache2?

**David T. Ashley** · Jun 23 '07, 07:45 PM

Re: How PHP Session ID is proved to be unique?

"howa" <howachen@gmail .comwrote in message
news:1182614984 .507891.134810@ i38g2000prf.goo glegroups.com.. .

On 6 23 , 11 35 , "David T. Ashley" <d...@e3ft.comw rote:

>The particular approach I use to ensure uniqueness is to concatenate
>time,
>microtime, and PID, and then to spinlock until the microtime changes.
>This
>works because no two processes can have the same PID at the same time.

>
yes, your method seem more reliable than PHP implementation. ..
but will it work on multi-thread web server, e.g. apache2?

My understanding would be that it won't work if a server is truly
multi-threaded.

My assumption is that each process is single-threaded, and that the http
server farms things out so that each PHP script running at any instant in
time has only one PID.

If threads are involved, that complicates things.

One would then need to use a different method entirely or also add some kind
of a thread identifier.

Dave.
--
David T. Ashley (dta@e3ft.com)
http://www.e3ft.com (Consulting Home Page)
http://www.dtashley.com (Personal Home Page)
http://gpl.e3ft.com (GPL Publications and Projects)

**Jerry Stuckle** · Jun 24 '07, 03:05 AM

Re: How PHP Session ID is proved to be unique?

howa wrote:

it is not a problem of easy or difficult, but a chance ...
>
consider you put money in bank and if other might take your session,
even the probability is 0.00000001%, we still want to avoid it....
>
or we need to find a better method to assign the session id, e.g. keep
track of the session id in database
>
>
On 6 23 , 7 03 , Erwin Moller
<since_humans_r ead_this_I_am_s pammed_too_m... @spamyourself.c omwrote:

>howa wrote:

>>For example, if two hosts arrive a server at the same time
>>(microtime) , and using the same IP via NAT, and may be even lucky
>>enough to have the same random number
>>How PHP make them to use different session ID?
>>or in fact PHP session is not 100% safe enought?
>>thanks.

>Hi Howa,
>>
>As fas as I know PHP doesn't take precautions for that.
>A typical sessionid consists of 31 or so characters, ranging from:
>0-9 and a-z: that is 37 possibilities per character.
>>
>So you'll end up with 37^31
>>
>You might very well find that the chances of accidentically creating the
>same sessionid are equal to the chance you win the lottery 100 times in a
>row, without ever buying a ticket, but finding them on the street.
>>
>So as far as I can see: there is no need to worry.
>>
>Regards,
>Erwin Moller
>>
>PS: I don't think the IP address is of importance when creating a sessionid.

>
>

There are no absolutes in computers. All there are are probabilities.

You just have to lower the probabilities enough so that they aren't a
problem.

For a website with 37^31 possibilities, I would think anything 1B
hits/sec. should be sufficient.

If you want true security, you need to use irrational numbers (or
similar) for your key. Of course, an irrational number never ends and
never repeats, so you may have a hard time sending that value over the
connection.

Anything else can be duplicated.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Michael Fesser** · Jun 24 '07, 01:05 PM

Re: How PHP Session ID is proved to be unique?

..oO(David T. Ashley)

>However, when a session is opened on my systems, there is some server-side
>state held to remember the session and related data, including the IP. If
>there is another connection made using the same session ID from a different
>IP, the software assumes that it is a forgery, kills the session(s)
>involved, and writes alarming things in the logfiles.

This might lead to many false alarms. An IP is not unique to a
particular visitor.

Micha

**Michael Fesser** · Jun 24 '07, 01:05 PM

Re: How PHP Session ID is proved to be unique?

..oO(howa)

>For example, if two hosts arrive a server at the same time
>(microtime), and using the same IP via NAT, and may be even lucky
>enough to have the same random number

Very unlikely.

>How PHP make them to use different session ID?

Don't know, probably nothing because it won't happen.

>or in fact PHP session is not 100% safe enought?

A session ID is a hash. By definition hashes can _never_ be 100% unique,
but the chance of a collision is small enough to be considered safe. If
that's not enough for you, then you have to implement some additional
checks, for example a new session ID and a forced re-login before doing
some critical operations.

Micha

**Jerry Stuckle** · Jun 24 '07, 01:15 PM

Re: How PHP Session ID is proved to be unique?

David T. Ashley wrote:

I've never used the PHP sessions (my code assigns its own session IDs).
>
The particular approach I use to ensure uniqueness is to concatenate time,
microtime, and PID, and then to spinlock until the microtime changes. This
works because no two processes can have the same PID at the same time.
>
As Herr Moller pointed out, IP isn't directly involved in session ID.
However, when a session is opened on my systems, there is some server-side
state held to remember the session and related data, including the IP. If
there is another connection made using the same session ID from a different
IP, the software assumes that it is a forgery, kills the session(s)
involved, and writes alarming things in the logfiles.
>
I don't know what security best practices are for sessions, but I think if
the IP changes during a session it would be unusual.
>
Dave.
>

It is actually quite common for an IP to change during a session - for
instance, AOL users have a "round robin" proxy system which picks the
least busy proxy at the time the request is being made. Many large
corporations have similar.

And, of course, dynamic addresses can change at any time; some ISP's run
leases as short as 1 hour.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**David T. Ashley** · Jun 24 '07, 03:25 PM

Re: How PHP Session ID is proved to be unique?

"Jerry Stuckle" <jstucklex@attg lobal.netwrote in message
news:tZmdnS4fuL 2l8OPbnZ2dnUVZ_ s-rnZ2d@comcast.c om...

David T. Ashley wrote:

>I've never used the PHP sessions (my code assigns its own session IDs).
>>
>The particular approach I use to ensure uniqueness is to concatenate
>time, microtime, and PID, and then to spinlock until the microtime
>changes. This works because no two processes can have the same PID at
>the same time.
>>
>As Herr Moller pointed out, IP isn't directly involved in session ID.
>However, when a session is opened on my systems, there is some
>server-side state held to remember the session and related data,
>including the IP. If there is another connection made using the same
>session ID from a different IP, the software assumes that it is a
>forgery, kills the session(s) involved, and writes alarming things in the
>logfiles.
>>
>I don't know what security best practices are for sessions, but I think
>if the IP changes during a session it would be unusual.
>>
>Dave.
>>

>
It is actually quite common for an IP to change during a session - for
instance, AOL users have a "round robin" proxy system which picks the
least busy proxy at the time the request is being made. Many large
corporations have similar.
>
And, of course, dynamic addresses can change at any time; some ISP's run
leases as short as 1 hour.

Thanks for the heads up. It would have EVENTUALLY come out in testing with
users getting tossed, but better to know this in advance.

Makes sense.

I will change my code accordingly.
--
David T. Ashley (dta@e3ft.com)
http://www.e3ft.com (Consulting Home Page)
http://www.dtashley.com (Personal Home Page)
http://gpl.e3ft.com (GPL Publications and Projects)

**howa** · Jun 24 '07, 04:55 PM

Re: How PHP Session ID is proved to be unique?

There are no absolutes in computers. All there are are probabilities.

>
You just have to lower the probabilities enough so that they aren't a
problem.
>
For a website with 37^31 possibilities, I would think anything 1B
hits/sec. should be sufficient.

I think keep track of session Id current assigned would be a safe
solution (e.g. write the Id into the DB, with proper locking or unique
constraints, collision won't occur)

**Toby A Inkster** · Jun 24 '07, 05:05 PM

Re: How PHP Session ID is proved to be unique?

David T. Ashley wrote:

I don't know what security best practices are for sessions, but I think if
the IP changes during a session it would be unusual.

Not particularly unusual. My office has three ADSL connections with
different IPs, and a load-balancing router. If a user in the office made
two page requests from your site, there is a 67% chance that they would
come from different IP addresses.

Such a network configuration is not particularly unusual. Many routers
aimed at offices of 50-200 people allow for load balancing between two or
more Internet connections.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 3 days, 19:41.]

A New Look for TobyInkster.co. uk

Page not found - Tobyinkster

http://tobyinkster.co.uk/blog/2007/06/22/new-look/

**Willem Bogaerts** · Jun 25 '07, 07:05 AM

Re: How PHP Session ID is proved to be unique?

>or in fact PHP session is not 100% safe enought?

>
A session ID is a hash. By definition hashes can _never_ be 100% unique,

Not entirely true. Generating the hash is not guaranteed to be unique,
but you can check if it already exists and generate another if it does.
I searched the documentation and could not find anything on uniqueness
of session IDs. If somebody has some more info, please point us to it.

Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.

KRATZ – Business Solutions

http://www.kratz.nl/

**howa** · Jun 25 '07, 01:35 PM

Re: How PHP Session ID is proved to be unique?

yes

so assuming we don't know the uniqueness of PHP session, we can
implement those stuffs ourself if we really want to...

On 6 25 , 2 56 , Willem Bogaerts
<w.bogae...@kra tz.maardanzonde rditstuk.nlwrot e:

or in fact PHP session is not 100% safe enought?

>

A session ID is a hash. By definition hashes can _never_ be 100% unique,

>
Not entirely true. Generating the hash is not guaranteed to be unique,
but you can check if it already exists and generate another if it does.
I searched the documentation and could not find anything on uniqueness
of session IDs. If somebody has some more info, please point us to it.
>
Best regards,
--
Willem Bogaerts

How PHP Session ID is proved to be unique?

How PHP Session ID is proved to be unique?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment