Hi Rasmus, Many thanks for the information.
It would be great if this information can be added to the docs: http://www.php.net/manual/en/session.configuration.php#ini.session.entropy-file __ Raymond On Thu, Aug 23, 2012 at 10:03 AM, Rasmus Lerdorf <ras...@lerdorf.com> wrote: > On 08/22/2012 09:48 PM, Raymond Irving wrote: > > Hello Everyone, > > > > I've been reading that it's possible to encounter session id collisions > > with the default php configuration. It's also been said that PHP > utilizes a > > cryptographically weak random number generator to > > produce session ID information. > > > > > > I know it's possible to change the hash function and entropy used in the > > generation of the id but after looking at the php_session_create_id() > > function in the source code, I am wondering if adding the User Agent > > string to the default setup would improve the uniqueness of the id. > > > > What do you think? > > Adding a widely-known string adds very little entropy. As of PHP 5.4 we > default to using session.entropy_file set to /dev/urandom or /dev/random > (if it is available) so there is no entropy issue with the default > config as of 5.4. Before 5.4 users had to be aware enough to add that to > their php.ini themselves. > > -Rasmus > >
