Length of a PHP SessionID

Hii…
can anyone provide information about the length of PHPSESSID?
i saw JSESSID is of 16 characters length and in my application PHPSESSID is of 26 characters,
but in gmail, i saw SID of above 100 characters…

does this session ID length has any prominence?
please post detailed session ID information like,
how many characters can a PHPSESSID contain?
are there any security vulnerabilities if sessid is small?

Many Thanks,
Pavan.P

It depends on these configuration settings:
session.hash_function and [url=http://php.net/manual/en/session.configuration.php#ini.session.hash-bits-per-character]session.hash_bits_per_character

Shorter session ID lengths have the higher chance of collision, but this also depends a lot on the ID generation algorithm. Given the default settings, the length of the session ID should be appropriate for most applications. For higher-security implementations, you may consider looking into how PHP generates its session IDs and check whether it’s cryptographically secure. If it isn’t, then you should roll your own algorithm with a cryptographically secure source of randomness.

…with a cryptographically secure source of randomness
[B]Saves this one is his big book of ‘things to say to the boss to sound cool

:smiley:

[/B]SilverB.

heyy…
i’m using the below php script which md5’s the HTTP USER AGENT n a secure word and user IP and generatin 26 charactered session iD.
lemme know is this a secured one or not…

<?php

/*
  SecureSession class
  Written by Vagharshak Tozalakyan <vagh@armdex.com>
  Released under GNU Public License
*/

class SecureSession
{
    // Include browser name in fingerprint?
    var $check_browser = true;

    // How many numbers from IP use in fingerprint?
    var $check_ip_blocks = 2;

    // Control word - any word you want.
    var $secure_word = 'FUNDAMENTALS';

    // Regenerate session ID to prevent fixation attacks?
    var $regenerate_id = true;

    // Call this when init session.
    function Open()
    {
        $_SESSION['ss_fprint'] = $this->_Fingerprint();
        $this->_RegenerateId();
    }

    // Call this to check session.
    function Check()
    {
        $this->_RegenerateId();
        return (isset($_SESSION['ss_fprint']) && $_SESSION['ss_fprint'] == $this->_Fingerprint());
    }

    // Internal function. Returns MD5 from fingerprint.
    function _Fingerprint()
    {
        $fingerprint = $this->secure_word;
        if ($this->check_browser) {
            $fingerprint .= $_SERVER['HTTP_USER_AGENT'];
        }
        if ($this->check_ip_blocks) {
            $num_blocks = abs(intval($this->check_ip_blocks));
            if ($num_blocks > 4) {
                $num_blocks = 4;
            }
            $blocks = explode('.', $_SERVER['REMOTE_ADDR']);
            for ($i = 0; $i < $num_blocks; $i++) {
                $fingerprint .= $blocks[$i] . '.';
            }
        }
        return md5($fingerprint);
    }

    // Internal function. Regenerates session ID if possible.
    function _RegenerateId()
    {
        if ($this->regenerate_id && function_exists('session_regenerate_id')) {
            if (version_compare('5.1.0', phpversion(), '>=')) {
                session_regenerate_id(true);
            } else {
                session_regenerate_id();
            }
        }
    }
}

?>

many thnx.

There is a lack of randomization, it is not secure. PHP’s built in session ID generation is secure enough for your needs.