Hi Lester, On Tue, Aug 16, 2016 at 11:51 PM, Lester Caine <les...@lsces.co.uk> wrote: > On 16/08/16 13:08, Tom Worster wrote: >>> >The default 128 bits Session ID is large enough to ignore collisions >>> >https://wiki.php.net/rfc/session-create-id#discussions >>> > >>> >It describes for an application, but PHP is a platform. >>> >There are millions PHP apps or more and there could be billions of >>> >active sessions. There could be tens of thousands new session IDs or >>> >more are created. Apply the calculation for expected time of possible >>> >collision. >>> > >>> >Do you still sure "There will be no collisions at all"? >> The calculation underestimates the difficulty of finding collisions by 38 >> decimal orders of magnitude. The number of different SIDs in default PHP >> config is 2^192, not 2^64. So yes, I am still sure. > > In a distributed system which would be required to handle millions of > sessions at the same time, then one will have thousands of copies of PHP > running and shared via some sort of traffic manager. So unless some sort > of mechanism is included to provide identification of the PHP instance > then it is probable that different instances will all produce the same > sequence of numbers. A UUID generator provided to ensure every > distributed service has a uniquely identifiable id for every 'session' > is not something that forms part of a single instance of PHP. It must be > centrally managed with a central session store. All that a single > instance of PHP should be worrying about is a few hundred active sessions?
For most PHP applications does not have to worry much as it would be extremely rare. i.e. Application users shouldn't worry much, or even at all. However, we are developers who are dealing with "authentication" related issue. Developers should make sure 120% correctness of authentication whenever it is possible. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
