Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:62533
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 65002 invoked from network); 26 Aug 2012 20:50:05 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 26 Aug 2012 20:50:05 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.170 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 74.125.82.170 mail-we0-f170.google.com  
Received: from [74.125.82.170] ([74.125.82.170:35613] helo=mail-we0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 63/8C-00843-BFB8A305 for <internals@lists.php.net>; Sun, 26 Aug 2012 16:50:04 -0400
Received: by weyr1 with SMTP id r1so2240521wey.29
        for <internals@lists.php.net>; Sun, 26 Aug 2012 13:50:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=DEXcj87SPtecdXvwihIjd2oSOpto/XOmBupuuPsgoPo=;
        b=fBprU6Sjo7uNjdL/vCaYiwu6eP+z30PxH0ZbvBS1Mw3nICNyM474+y+tvKf2BW2TKI
         B1yZR1WK3hjcybs0KrN1HYHDiqvk2mSfM3xj51RFg8hjoVzlbe0qEotV34O/LT1oQVo+
         M5MQKobiaX62yYVY2o4nFuzMAXWjalnsmwMb9G3kDQG+VpokHMUzNQZmwCK9m/q6IBGs
         oxq6MVfJDp0da6N/NvJzuCvbtWY1gjJWuMnCwOfc9SxBDh5TFOahIV9g1mm67V8fPxhT
         Fcb3FvzHHUqCL3YjoIGa4Dzvj/Re4WgjRrc8oGPB1gikvOMm0NJD/ra7TxuaZ804ztxV
         7D3g==
Received: by 10.180.83.66 with SMTP id o2mr20237802wiy.14.1346014200928; Sun,
 26 Aug 2012 13:50:00 -0700 (PDT)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.223.86.201 with HTTP; Sun, 26 Aug 2012 13:49:20 -0700 (PDT)
In-Reply-To: <5039E4FA.6060102@sugarcrm.com>
References: <CAJRMtAGcN-n9wv8-CFiLt+bXhMvOcmfG8a3kBORVUVCz9n4Bqw@mail.gmail.com>
 <50364644.1060302@lerdorf.com> <CAJRMtAH=-B8+M6+kMrpKQZ=Yg2ASa5iv=JCUbjvHkw0UFmw73w@mail.gmail.com>
 <CAL+t6cHj4p=RLwSRGX789w-CswZQd_XtuL364KRBsc66ROdmJA@mail.gmail.com>
 <CAGa2bXY2+kDx32evFmFqUD3P1L6x=PypnVJTuj_mP2853QWQKw@mail.gmail.com>
 <CAH-PCH6d_sO7he5VMTO+d+YPSk5ZmYXpNd8wDmZ4pW9qTjxzrA@mail.gmail.com>
 <CAGa2bXaXx4T3AB46k9mmJFiw=5qJbHnphxeHjx=i1_THrrY05A@mail.gmail.com> <5039E4FA.6060102@sugarcrm.com>
Date: Mon, 27 Aug 2012 05:49:20 +0900
X-Google-Sender-Auth: 4pTk1Do_PibFwk29zKrTAlIsQEY
Message-ID: <CAGa2bXaekEwu75jyHMd_S=51XjXRvMRAR+2Vg8YoYFW6j0ViSQ@mail.gmail.com>
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: Ferenc Kovacs <tyra3l@gmail.com>, Sherif Ramadan <theanomaly.is@gmail.com>, 
	PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Session Id Collisions
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi,

2012/8/26 Stas Malyshev <smalyshev@sugarcrm.com>:
> Hi!
>
>> I know session ID collision will not happen most likely, but
>> there are few people who worries collision. We can check
>> session ID collision when it is generated.
>
> You mean two randomly generated session IDs colliding? I think the
> probability of it is pretty low. I mean it'd take PHP's random number
> generator function to generate two equal random numbers in the same
> microsecond. And these are random 64-bit numbers, so unless you're
> generating billions of sessions per microsecond I don't think it's a
> very real concern.

Right,

Statistically, session ID collision will not happen.
It's very low even when we consider birthday paradox.
We could also use stronger hash (SHA-1 etc) rather than MD5.

However, collision detection is easy and makes collision impossible.
That's the whole point of the patch. Collision is most unlikely, but
unique session ID the basis of security. It's worth to have, IMHO.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net