Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:62425
Return-Path: <xwisdom@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 45572 invoked from network); 23 Aug 2012 15:26:18 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Aug 2012 15:26:18 -0000
Authentication-Results: pb1.pair.com smtp.mail=xwisdom@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=xwisdom@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.170 as permitted sender)
X-PHP-List-Original-Sender: xwisdom@gmail.com
X-Host-Fingerprint: 209.85.217.170 mail-lb0-f170.google.com  
Received: from [209.85.217.170] ([209.85.217.170:60426] helo=mail-lb0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 38/11-40468-99B46305 for <internals@lists.php.net>; Thu, 23 Aug 2012 11:26:18 -0400
Received: by lbbgp3 with SMTP id gp3so520115lbb.29
        for <internals@lists.php.net>; Thu, 23 Aug 2012 08:26:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=pyZZB+6pMGR91nqt+0YOIGZnu5miIeqbetOo4zlCjEQ=;
        b=OsuCjSPZDTdC6Rh0SeasW50KvWdqTe47JptBGPzwpOqfw9LwaVuVWd9Fg2Perj3lq6
         CKnh4PW7ouuH5Lbh9Uyy1wA8Mjq4UXIdgX7D+IgItqZ0dzwPpy1Bfm54uto/pkGxf90T
         j1dAmthh0N1dzOHql62VZO4I5l92VXyY6QOVb4D/X/woBe4rOdT2+ixHId3/le5+ILwe
         h5C/Ax2/vemTKZbb+ALNNiFhxKv9rytlrB9z/6MGcwTjVnxcAfORJyMpJOz25k9kWd2f
         ccefhhn6CgL+9ZBuqKZvXiJ9HiW1sOYz3t7giHw09/S6Z4U/CLSCxBYeBgyHapBk3hUI
         GGVQ==
MIME-Version: 1.0
Received: by 10.152.112.234 with SMTP id it10mr2129430lab.36.1345735575046;
 Thu, 23 Aug 2012 08:26:15 -0700 (PDT)
Received: by 10.112.145.70 with HTTP; Thu, 23 Aug 2012 08:26:14 -0700 (PDT)
In-Reply-To: <50364644.1060302@lerdorf.com>
References: <CAJRMtAGcN-n9wv8-CFiLt+bXhMvOcmfG8a3kBORVUVCz9n4Bqw@mail.gmail.com>
	<50364644.1060302@lerdorf.com>
Date: Thu, 23 Aug 2012 10:26:14 -0500
Message-ID: <CAJRMtAH=-B8+M6+kMrpKQZ=Yg2ASa5iv=JCUbjvHkw0UFmw73w@mail.gmail.com>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=f46d04083919e988dd04c7f07aff
Subject: Re: [PHP-DEV] Session Id Collisions
From: xwisdom@gmail.com (Raymond Irving)

--f46d04083919e988dd04c7f07aff
Content-Type: text/plain; charset=ISO-8859-1

Hi Rasmus,

Many thanks for the information.

It would be great if this information can be added to the docs:

http://www.php.net/manual/en/session.configuration.php#ini.session.entropy-file



__
Raymond

On Thu, Aug 23, 2012 at 10:03 AM, Rasmus Lerdorf <rasmus@lerdorf.com> wrote:

> On 08/22/2012 09:48 PM, Raymond Irving wrote:
> > Hello Everyone,
> >
> > I've been reading that it's possible to encounter session id collisions
> > with the default php configuration. It's also been said that PHP
> utilizes a
> > cryptographically weak random number generator to
> > produce session ID information.
> >
> >
> > I know it's possible to change the hash function and entropy used in the
> > generation of the id but after looking at the php_session_create_id()
> > function  in the source code, I am wondering if adding the User Agent
> > string to the default setup would improve the uniqueness of the id.
> >
> > What do you think?
>
> Adding a widely-known string adds very little entropy. As of PHP 5.4 we
> default to using session.entropy_file set to /dev/urandom or /dev/random
> (if it is available) so there is no entropy issue with the default
> config as of 5.4. Before 5.4 users had to be aware enough to add that to
> their php.ini themselves.
>
> -Rasmus
>
>

--f46d04083919e988dd04c7f07aff--