Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:62424
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 42552 invoked from network); 23 Aug 2012 15:03:38 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Aug 2012 15:03:38 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.220.170 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.220.170 mail-vc0-f170.google.com  
Received: from [209.85.220.170] ([209.85.220.170:34913] helo=mail-vc0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 41/70-40468-A4646305 for <internals@lists.php.net>; Thu, 23 Aug 2012 11:03:38 -0400
Received: by vcbgb30 with SMTP id gb30so1017112vcb.29
        for <internals@lists.php.net>; Thu, 23 Aug 2012 08:03:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:x-enigmail-version:content-type
         :content-transfer-encoding:x-gm-message-state;
        bh=w1G5+XSIUUYHIChqPq0EF9h1O1ZMftpTUcD8V6uSRT8=;
        b=Hwmnb7wFWfXm6eaPJNTCnG4aS0YjKPNYHXmEagznUJYUc43fRouJQmwVDSbdSKAcMl
         6MU+OJdkHIs1D+FWkiuqXDb7FSpmPdIkBeQtNTXECFcmzPBgLY9l4q69vcrr9wxVzli9
         cUXi7W1Img3hHBE8h0to3ZrN4lDbJT44TMnMN1wk1O7HjBDzaRsCyswxjKXvS5IzUk/B
         elLJPYJetmLo2nr6nglfICqw6Px2XZ5Hl7tOfF026rxBqS70rK+5nb9OEyeMmD1jFYaK
         8P06Gw8b8yk8y2c3NjX/ExcHbBqI2nHKnRqNaFF1j5s3rBTys19QSfNFH4zF01RR6JzS
         C1AQ==
Received: by 10.58.94.44 with SMTP id cz12mr1667363veb.34.1345734215383;
        Thu, 23 Aug 2012 08:03:35 -0700 (PDT)
Received: from [192.168.200.148] (c-50-131-44-225.hsd1.ca.comcast.net. [50.131.44.225])
        by mx.google.com with ESMTPS id a10sm3379257vez.10.2012.08.23.08.03.33
        (version=SSLv3 cipher=OTHER);
        Thu, 23 Aug 2012 08:03:34 -0700 (PDT)
Message-ID: <50364644.1060302@lerdorf.com>
Date: Thu, 23 Aug 2012 08:03:32 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: Raymond Irving <xwisdom@gmail.com>
CC: PHP Internals <internals@lists.php.net>
References: <CAJRMtAGcN-n9wv8-CFiLt+bXhMvOcmfG8a3kBORVUVCz9n4Bqw@mail.gmail.com>
In-Reply-To: <CAJRMtAGcN-n9wv8-CFiLt+bXhMvOcmfG8a3kBORVUVCz9n4Bqw@mail.gmail.com>
X-Enigmail-Version: 1.5a1pre
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: ALoCoQkcNcTYkGc5SQ+i8dgkM7L4hbhTVF3wF0NnS5Nxavb2pon1wY3iRZjQOUePH2FHU+iTKF2b
Subject: Re: [PHP-DEV] Session Id Collisions
From: rasmus@lerdorf.com (Rasmus Lerdorf)

On 08/22/2012 09:48 PM, Raymond Irving wrote:
> Hello Everyone,
> 
> I've been reading that it's possible to encounter session id collisions
> with the default php configuration. It's also been said that PHP utilizes a
> cryptographically weak random number generator to
> produce session ID information.
> 
> 
> I know it's possible to change the hash function and entropy used in the
> generation of the id but after looking at the php_session_create_id()
> function  in the source code, I am wondering if adding the User Agent
> string to the default setup would improve the uniqueness of the id.
> 
> What do you think?

Adding a widely-known string adds very little entropy. As of PHP 5.4 we
default to using session.entropy_file set to /dev/urandom or /dev/random
(if it is available) so there is no entropy issue with the default
config as of 5.4. Before 5.4 users had to be aware enough to add that to
their php.ini themselves.

-Rasmus