Posted by Erwin Moller on 06/23/07 11:03

howa wrote:

> For example, if two hosts arrive a server at the same time
> (microtime), and using the same IP via NAT, and may be even lucky
> enough to have the same random number
>
> How PHP make them to use different session ID?
>
> or in fact PHP session is not 100% safe enought?
>
> thanks.

Hi Howa,

As fas as I know PHP doesn't take precautions for that.
A typical sessionid consists of 31 or so characters, ranging from:
0-9 and a-z: that is 37 possibilities per character.

So you'll end up with 37^31

You might very well find that the chances of accidentically creating the
same sessionid are equal to the chance you win the lottery 100 times in a
row, without ever buying a ticket, but finding them on the street.

So as far as I can see: there is no need to worry.

Regards,
Erwin Moller

PS: I don't think the IP address is of importance when creating a sessionid.

• Next in forum: Re: Regarding login php code
• Prev in forum: How PHP Session ID is proved to be unique?
• Thread view: Re: How PHP Session ID is proved to be unique?

[Reply to this message]