Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:62414
Return-Path: <xwisdom@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 3934 invoked from network); 23 Aug 2012 04:48:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Aug 2012 04:48:17 -0000
Authentication-Results: pb1.pair.com smtp.mail=xwisdom@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=xwisdom@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.215.42 as permitted sender)
X-PHP-List-Original-Sender: xwisdom@gmail.com
X-Host-Fingerprint: 209.85.215.42 mail-lpp01m010-f42.google.com  
Received: from [209.85.215.42] ([209.85.215.42:48882] helo=mail-lpp01m010-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BD/41-29773-016B5305 for <internals@lists.php.net>; Thu, 23 Aug 2012 00:48:17 -0400
Received: by lahl5 with SMTP id l5so195325lah.29
        for <internals@lists.php.net>; Wed, 22 Aug 2012 21:48:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=5ykYflYyaAzvgQr7mOx6dbRQ3IIoC7o3BUjTRosLHnI=;
        b=ciur9SAgjmGXPuNiYQDqovLYvO7v/AuSC8FFZeO5+W+Z9lWIs5EptJIhFV4jtbTu0F
         4afWVflYoYybdkecqRT973cbImDgDpJzQ/4tlSRUG/lSA2h31lfe1P21DSiLNo3ifPiq
         cqtE8UVs4RZRPK8TpRCpGE6LoyD4BlNbd4YI/zlTW6hfLqtTY5EPVFQbmTzaH5jmqq/B
         2Rhb7YJIkzaOD3tgnDVXvTvkQL1bqugYSiDSbrekXPUg5z69srzQEDPmpcYIDT1a4NEC
         NiYi/PTm/xR7FlJj0/yINTI7AfctCOz0L3fA9XRTqiH+MEUERk/rq9SQjGNU0E41O+V3
         7ucg==
MIME-Version: 1.0
Received: by 10.152.148.199 with SMTP id tu7mr203293lab.37.1345697292793; Wed,
 22 Aug 2012 21:48:12 -0700 (PDT)
Received: by 10.112.145.70 with HTTP; Wed, 22 Aug 2012 21:48:12 -0700 (PDT)
Date: Wed, 22 Aug 2012 23:48:12 -0500
Message-ID: <CAJRMtAGcN-n9wv8-CFiLt+bXhMvOcmfG8a3kBORVUVCz9n4Bqw@mail.gmail.com>
To: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=e89a8f2353bb1cb64404c7e79184
Subject: Session Id Collisions
From: xwisdom@gmail.com (Raymond Irving)

--e89a8f2353bb1cb64404c7e79184
Content-Type: text/plain; charset=ISO-8859-1

Hello Everyone,

I've been reading that it's possible to encounter session id collisions
with the default php configuration. It's also been said that PHP utilizes a
cryptographically weak random number generator to
produce session ID information.


I know it's possible to change the hash function and entropy used in the
generation of the id but after looking at the php_session_create_id()
function  in the source code, I am wondering if adding the User Agent
string to the default setup would improve the uniqueness of the id.

What do you think?


__
Raymond

--e89a8f2353bb1cb64404c7e79184--