|
|
Posted by David T. Ashley on 06/23/07 15:35
I've never used the PHP sessions (my code assigns its own session IDs).
The particular approach I use to ensure uniqueness is to concatenate time,
microtime, and PID, and then to spinlock until the microtime changes. This
works because no two processes can have the same PID at the same time.
As Herr Moller pointed out, IP isn't directly involved in session ID.
However, when a session is opened on my systems, there is some server-side
state held to remember the session and related data, including the IP. If
there is another connection made using the same session ID from a different
IP, the software assumes that it is a forgery, kills the session(s)
involved, and writes alarming things in the logfiles.
I don't know what security best practices are for sessions, but I think if
the IP changes during a session it would be unusual.
Dave.
"howa" <howachen@gmail.com> wrote in message
news:1182604503.403288.39290@e9g2000prf.googlegroups.com...
> it is not a problem of easy or difficult, but a chance ...
>
> consider you put money in bank and if other might take your session,
> even the probability is 0.00000001%, we still want to avoid it....
>
> or we need to find a better method to assign the session id, e.g. keep
> track of the session id in database
>
>
> On 6 23 , 7 03 , Erwin Moller
> <since_humans_read_this_I_am_spammed_too_m...@spamyourself.com> wrote:
>> howa wrote:
>> > For example, if two hosts arrive a server at the same time
>> > (microtime), and using the same IP via NAT, and may be even lucky
>> > enough to have the same random number
>>
>> > How PHP make them to use different session ID?
>>
>> > or in fact PHP session is not 100% safe enought?
>>
>> > thanks.
>>
>> Hi Howa,
>>
>> As fas as I know PHP doesn't take precautions for that.
>> A typical sessionid consists of 31 or so characters, ranging from:
>> 0-9 and a-z: that is 37 possibilities per character.
>>
>> So you'll end up with 37^31
>>
>> You might very well find that the chances of accidentically creating the
>> same sessionid are equal to the chance you win the lottery 100 times in a
>> row, without ever buying a ticket, but finding them on the street.
>>
>> So as far as I can see: there is no need to worry.
>>
>> Regards,
>> Erwin Moller
>>
>> PS: I don't think the IP address is of importance when creating a
>> sessionid.
>
>
Navigation:
[Reply to this message]
|