Hi, 2012/8/26 Stas Malyshev <smalys...@sugarcrm.com>: > Hi! > >> I know session ID collision will not happen most likely, but >> there are few people who worries collision. We can check >> session ID collision when it is generated. > > You mean two randomly generated session IDs colliding? I think the > probability of it is pretty low. I mean it'd take PHP's random number > generator function to generate two equal random numbers in the same > microsecond. And these are random 64-bit numbers, so unless you're > generating billions of sessions per microsecond I don't think it's a > very real concern.
Right, Statistically, session ID collision will not happen. It's very low even when we consider birthday paradox. We could also use stronger hash (SHA-1 etc) rather than MD5. However, collision detection is easy and makes collision impossible. That's the whole point of the patch. Collision is most unlikely, but unique session ID the basis of security. It's worth to have, IMHO. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
