Posted by howa on 06/23/07 13:15

it is not a problem of easy or difficult, but a chance ...

consider you put money in bank and if other might take your session,
even the probability is 0.00000001%, we still want to avoid it....

or we need to find a better method to assign the session id, e.g. keep
track of the session id in database


On 6 23 , 7 03 , Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spamyourself.com> wrote:
> howa wrote:
> > For example, if two hosts arrive a server at the same time
> > (microtime), and using the same IP via NAT, and may be even lucky
> > enough to have the same random number
>
> > How PHP make them to use different session ID?
>
> > or in fact PHP session is not 100% safe enought?
>
> > thanks.
>
> Hi Howa,
>
> As fas as I know PHP doesn't take precautions for that.
> A typical sessionid consists of 31 or so characters, ranging from:
> 0-9 and a-z: that is 37 possibilities per character.
>
> So you'll end up with 37^31
>
> You might very well find that the chances of accidentically creating the
> same sessionid are equal to the chance you win the lottery 100 times in a
> row, without ever buying a ticket, but finding them on the street.
>
> So as far as I can see: there is no need to worry.
>
> Regards,
> Erwin Moller
>
> PS: I don't think the IP address is of importance when creating a sessionid.

[Back to original message]