On 08/22/2012 09:48 PM, Raymond Irving wrote: > Hello Everyone, > > I've been reading that it's possible to encounter session id collisions > with the default php configuration. It's also been said that PHP utilizes a > cryptographically weak random number generator to > produce session ID information. > > > I know it's possible to change the hash function and entropy used in the > generation of the id but after looking at the php_session_create_id() > function in the source code, I am wondering if adding the User Agent > string to the default setup would improve the uniqueness of the id. > > What do you think?
Adding a widely-known string adds very little entropy. As of PHP 5.4 we default to using session.entropy_file set to /dev/urandom or /dev/random (if it is available) so there is no entropy issue with the default config as of 5.4. Before 5.4 users had to be aware enough to add that to their php.ini themselves. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
