Hii…
can anyone provide information about the length of PHPSESSID?
i saw JSESSID is of 16 characters length and in my application PHPSESSID is of 26 characters,
but in gmail, i saw SID of above 100 characters…
does this session ID length has any prominence?
please post detailed session ID information like,
how many characters can a PHPSESSID contain?
are there any security vulnerabilities if sessid is small?
Shorter session ID lengths have the higher chance of collision, but this also depends a lot on the ID generation algorithm. Given the default settings, the length of the session ID should be appropriate for most applications. For higher-security implementations, you may consider looking into how PHP generates its session IDs and check whether it’s cryptographically secure. If it isn’t, then you should roll your own algorithm with a cryptographically secure source of randomness.
heyy…
i’m using the below php script which md5’s the HTTP USER AGENT n a secure word and user IP and generatin 26 charactered session iD.
lemme know is this a secured one or not…
<?php
/*
SecureSession class
Written by Vagharshak Tozalakyan <vagh@armdex.com>
Released under GNU Public License
*/
class SecureSession
{
// Include browser name in fingerprint?
var $check_browser = true;
// How many numbers from IP use in fingerprint?
var $check_ip_blocks = 2;
// Control word - any word you want.
var $secure_word = 'FUNDAMENTALS';
// Regenerate session ID to prevent fixation attacks?
var $regenerate_id = true;
// Call this when init session.
function Open()
{
$_SESSION['ss_fprint'] = $this->_Fingerprint();
$this->_RegenerateId();
}
// Call this to check session.
function Check()
{
$this->_RegenerateId();
return (isset($_SESSION['ss_fprint']) && $_SESSION['ss_fprint'] == $this->_Fingerprint());
}
// Internal function. Returns MD5 from fingerprint.
function _Fingerprint()
{
$fingerprint = $this->secure_word;
if ($this->check_browser) {
$fingerprint .= $_SERVER['HTTP_USER_AGENT'];
}
if ($this->check_ip_blocks) {
$num_blocks = abs(intval($this->check_ip_blocks));
if ($num_blocks > 4) {
$num_blocks = 4;
}
$blocks = explode('.', $_SERVER['REMOTE_ADDR']);
for ($i = 0; $i < $num_blocks; $i++) {
$fingerprint .= $blocks[$i] . '.';
}
}
return md5($fingerprint);
}
// Internal function. Regenerates session ID if possible.
function _RegenerateId()
{
if ($this->regenerate_id && function_exists('session_regenerate_id')) {
if (version_compare('5.1.0', phpversion(), '>=')) {
session_regenerate_id(true);
} else {
session_regenerate_id();
}
}
}
}
?>