On Mon, Aug 15, 2016 at 5:13 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Let me paraphrase OWASP's document to show why. > > "Now assume a 128 bit session identifier that provides 64 bits of > entropy. With a very large web site, legitimate users might creates > 10,000 new session ID per second (New and regenerated session) with > 10,000,000 valid session identifiers available to be collided. Given > these assumptions, the expected time web system to successfully has > collided identifier is greater than 2 years." > > Assumption for security should be pessimistic. OWASP makes pessimistic > assumption for entropy in session ID, probably because proving "CSPRNG > generates good quality of random bytes" is difficult. > > 10M active session is possible even with relatively small sites > because there are users who use very long session ID life time for > "auto login". 10K new session ID is possible for relatively small > sites also because OWASP recommends session ID regeneration for every > 15 minutes.
I forgot to mention that "Session management without timestamp will situation worse" because session_regenerate_id() creates many active sessions by default. (Please refer to decline RFC timestamp managed session https://wiki.php.net/rfc/precise_session_management ) Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
