SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Zealot pavanpuligandla's Avatar
    Join Date
    Sep 2008
    Location
    hyderabad
    Posts
    179
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Length of a PHP SessionID..

    Hii..
    can anyone provide information about the length of PHPSESSID?
    i saw JSESSID is of 16 characters length and in my application PHPSESSID is of 26 characters,
    but in gmail, i saw SID of above 100 characters..

    does this session ID length has any prominence?
    please post detailed session ID information like,
    how many characters can a PHPSESSID contain?
    are there any security vulnerabilities if sessid is small?

    Many Thanks,
    Pavan.P

  2. #2
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It depends on these configuration settings:
    session.hash_function and session.hash_bits_per_character

    Shorter session ID lengths have the higher chance of collision, but this also depends a lot on the ID generation algorithm. Given the default settings, the length of the session ID should be appropriate for most applications. For higher-security implementations, you may consider looking into how PHP generates its session IDs and check whether it's cryptographically secure. If it isn't, then you should roll your own algorithm with a cryptographically secure source of randomness.

  3. #3
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    .....with a cryptographically secure source of randomness
    *Saves this one is his big book of 'things to say to the boss to sound cool'*



    SilverB.

  4. #4
    SitePoint Zealot pavanpuligandla's Avatar
    Join Date
    Sep 2008
    Location
    hyderabad
    Posts
    179
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    heyy..
    i'm using the below php script which md5's the HTTP USER AGENT n a secure word and user IP and generatin 26 charactered session iD.
    lemme know is this a secured one or not..
    Code:
    <?php
    
    /*
      SecureSession class
      Written by Vagharshak Tozalakyan <vagh@armdex.com>
      Released under GNU Public License
    */
    
    class SecureSession
    {
        // Include browser name in fingerprint?
        var $check_browser = true;
    
        // How many numbers from IP use in fingerprint?
        var $check_ip_blocks = 2;
    
        // Control word - any word you want.
        var $secure_word = 'FUNDAMENTALS';
    
        // Regenerate session ID to prevent fixation attacks?
        var $regenerate_id = true;
    
        // Call this when init session.
        function Open()
        {
            $_SESSION['ss_fprint'] = $this->_Fingerprint();
            $this->_RegenerateId();
        }
    
        // Call this to check session.
        function Check()
        {
            $this->_RegenerateId();
            return (isset($_SESSION['ss_fprint']) && $_SESSION['ss_fprint'] == $this->_Fingerprint());
        }
    
        // Internal function. Returns MD5 from fingerprint.
        function _Fingerprint()
        {
            $fingerprint = $this->secure_word;
            if ($this->check_browser) {
                $fingerprint .= $_SERVER['HTTP_USER_AGENT'];
            }
            if ($this->check_ip_blocks) {
                $num_blocks = abs(intval($this->check_ip_blocks));
                if ($num_blocks > 4) {
                    $num_blocks = 4;
                }
                $blocks = explode('.', $_SERVER['REMOTE_ADDR']);
                for ($i = 0; $i < $num_blocks; $i++) {
                    $fingerprint .= $blocks[$i] . '.';
                }
            }
            return md5($fingerprint);
        }
    
        // Internal function. Regenerates session ID if possible.
        function _RegenerateId()
        {
            if ($this->regenerate_id && function_exists('session_regenerate_id')) {
                if (version_compare('5.1.0', phpversion(), '>=')) {
                    session_regenerate_id(true);
                } else {
                    session_regenerate_id();
                }
            }
        }
    }
    
    ?>
    many thnx.

  5. #5
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    There is a lack of randomization, it is not secure. PHP's built in session ID generation is secure enough for your needs.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •