Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95231 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 79581 invoked from network); 16 Aug 2016 14:51:56 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 16 Aug 2016 14:51:56 -0000 Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.230 cause and error) X-PHP-List-Original-Sender: lester@lsces.co.uk X-Host-Fingerprint: 217.147.176.230 mail4-3.serversure.net Linux 2.6 Received: from [217.147.176.230] ([217.147.176.230:40994] helo=mail4.serversure.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 08/75-36656-A8823B75 for ; Tue, 16 Aug 2016 10:51:55 -0400 Received: (qmail 22233 invoked by uid 89); 16 Aug 2016 14:51:51 -0000 Received: by simscan 1.3.1 ppid: 22227, pid: 22230, t: 0.0800s scanners: attach: 1.3.1 clamav: 0.96/m:52/d:10677 Received: from unknown (HELO ?10.0.0.7?) (lester@rainbowdigitalmedia.org.uk@81.138.11.136) by mail4.serversure.net with ESMTPA; 16 Aug 2016 14:51:51 -0000 To: internals@lists.php.net References: <592333a7-2c73-38a4-b400-f3f2c7bf2f72@lsces.co.uk> Message-ID: Date: Tue, 16 Aug 2016 15:51:51 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC][VOTE] Add session_create_id() function From: lester@lsces.co.uk (Lester Caine) On 16/08/16 13:08, Tom Worster wrote: >> >The default 128 bits Session ID is large enough to ignore collisions >> >https://wiki.php.net/rfc/session-create-id#discussions >> > >> >It describes for an application, but PHP is a platform. >> >There are millions PHP apps or more and there could be billions of >> >active sessions. There could be tens of thousands new session IDs or >> >more are created. Apply the calculation for expected time of possible >> >collision. >> > >> >Do you still sure "There will be no collisions at all"? > The calculation underestimates the difficulty of finding collisions by 38 > decimal orders of magnitude. The number of different SIDs in default PHP > config is 2^192, not 2^64. So yes, I am still sure. In a distributed system which would be required to handle millions of sessions at the same time, then one will have thousands of copies of PHP running and shared via some sort of traffic manager. So unless some sort of mechanism is included to provide identification of the PHP instance then it is probable that different instances will all produce the same sequence of numbers. A UUID generator provided to ensure every distributed service has a uniquely identifiable id for every 'session' is not something that forms part of a single instance of PHP. It must be centrally managed with a central session store. All that a single instance of PHP should be worrying about is a few hundred active sessions? -- Lester Caine - G8HFL ----------------------------- Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk