Posted by Richard Levasseur on 10/14/41 11:54

Jerry Stuckle wrote:

>
> Of course, if you go and manually edit the session id you're going to
> get an identical session. What else do you expect?
>
> But under normal conditions two browsers should not be getting the same
> session id. It's a long (32 char, IIFC) hex value which shouldn't be
> duplicated - and shouldn't be guessable by chance.
>
>

This also illustrates the use of having a good session_id generator.
Its not impossible to guess a session id using brute force and
statistics. Of course, the attacker needs to generate a large number
of session ids to figure out what ones are possibly active, then figure
out which of those have information he wants. The chances of that are
relatively remote, but not out of the realm of possibility. If you're
really worried about security that much, then its something to keep in
mind.

• Next in forum: PHP on IIS
• Prev in forum: Re: PHP vs. J2EE
• Thread view: Re: _SESSION weirdness behind a NAT firewall/router: bug?

[Reply to this message]