Hello Everyone, I've been reading that it's possible to encounter session id collisions with the default php configuration. It's also been said that PHP utilizes a cryptographically weak random number generator to produce session ID information.
I know it's possible to change the hash function and entropy used in the generation of the id but after looking at the php_session_create_id() function in the source code, I am wondering if adding the User Agent string to the default setup would improve the uniqueness of the id. What do you think? __ Raymond
