Hello,

I'm just getting back into PHP since I left it 3 years ago, and while going over sessions again, I noticed that the session key is only 32 bits long. This seems to leave websites susceptible to brute force attacks where the session id can be guessed by a cracker. Using the following equation highlights the apparent problem:

((2^NumberOfBits)+1)/(2*NumberOfGuessesPerSecond*NumberOfActiveSessionsAtOneTime) = expected number of seconds required to guess a valid session identifier
As defined here: https://www.owasp.org/index.php/Insu...sion-ID_Length

Active Sessions Seconds to guess with 1000 guesses per second Represented in Hours in Days in Weeks in Months in Years
1 2147483.6 35791.4 1491.3 213.0 53.3 4.4
2 1073741.8 17895.7 745.7 106.5 26.6 2.2
4 536870.9 8947.8 372.8 53.3 13.3 1.1
8 268435.5 4473.9 186.4 26.6 6.7 0.6
16 134217.7 2237.0 93.2 13.3 3.3 0.3
32 67108.9 1118.5 46.6 6.7 1.7 0.1
64 33554.4 559.2 23.3 3.3 0.8 0.1
128 16777.2 279.6 11.7 1.7 0.4 0.0
256 8388.6 139.8 5.8 0.8 0.2 0.0
512 4194.3 69.9 2.9 0.4 0.1 0.0
1024 2097.2 35.0 1.5 0.2 0.1 0.0
2048 1048.6 17.5 0.7 0.1 0.0 0.0
4096 524.3 8.7 0.4 0.1 0.0 0.0
8192 262.1 4.4 0.2 0.0 0.0 0.0
16384 131.1 2.2 0.1 0.0 0.0 0.0
32768 65.5 1.1 0.0 0.0 0.0 0.0
65536 32.8 0.5 0.0 0.0 0.0 0.0
131072 16.4 0.3 0.0 0.0 0.0 0.0
262144 8.2 0.1 0.0 0.0 0.0 0.0
524288 4.1 0.1 0.0 0.0 0.0 0.0
1048576 2.0 0.0 0.0 0.0 0.0 0.0
2097152 1.0 0.0 0.0 0.0 0.0 0.0

I'm guessing the security community are already well aware of this, as a result, is there an easy fix other than not using native PHP sessions?

I'm interested to see what people think about this.

Thanks,
ro0bear