PHP's generated from remote ID, process id, time and some randomness; and then MD5'ed. That's 'better' then your random/MD5 based approach as it's even less likely to result in collisions.
How can you tell without knowing what my source of random data is? And no, I'm not worried about an MD5 collision. I'm paranoid but not _that_ paranoid (and I'm not going to get into a discussion there either ;-))
I realize that I should have skipped the part about my own code as it was confusing and beside the point. I simply wanted to avoid people pointing out how they can guess PHP session IDs which might or might not be possible, I wouldn't know :-)
My point was: Don't give people a false sense of security and that's why I consider it a bad idea to put the patch into the PHP core.
- Chris
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
