Posted by Michael Fesser on 06/24/07 13:01

..oO(howa)

>For example, if two hosts arrive a server at the same time
>(microtime), and using the same IP via NAT, and may be even lucky
>enough to have the same random number

Very unlikely.

>How PHP make them to use different session ID?

Don't know, probably nothing because it won't happen.

>or in fact PHP session is not 100% safe enought?

A session ID is a hash. By definition hashes can _never_ be 100% unique,
but the chance of a collision is small enough to be considered safe. If
that's not enough for you, then you have to implement some additional
checks, for example a new session ID and a forced re-login before doing
some critical operations.

Micha

• Next in forum: Re: How PHP Session ID is proved to be unique?
• Prev in forum: Re: How PHP Session ID is proved to be unique?
• Thread view: Re: How PHP Session ID is proved to be unique?

[Reply to this message]