PHP 会话 ID——它们是如何生成的? [英] PHP session IDs -- how are they generated?
问题描述
当我调用 session_start() 或 session_regenerate_id() 时,PHP 会为会话 ID 生成一个看似随机的字符串.我想知道的是,它只是一个随机的字符序列,还是像uniqid()函数?
When I call session_start() or session_regenerate_id(), PHP generates what appears to be a random string for the session ID. What I want to know is, is it just a random sequence of characters, or is it like the uniqid() function?
因为如果只是随机字符,理论上你不会遇到冲突吗?如果用户 A 登录,然后用户 B 登录,并且用户 B 生成相同的会话 ID(尽管可能性很小),那么用户 B 最终会访问用户 A 的帐户.
Because if it's just random characters, couldn't you theoretically run into a conflict? If User A logged in and then User B logged in and, though highly unlikely, User B generated the same session ID, then User B would end up accessing User A's account.
即使 PHP 检查是否已经存在具有相同 ID 的会话,如果存在,则再次重新生成 ID...集合——也许我想存储一张它们的表格并检查它们是否可能被劫持或其他任何东西.
Even if PHP checks to see if a session with the same ID already exists and, if so, regenerates an ID again... I don't think I want a system that EVER produces the same ID twice, even after garbage collection -- maybe I want to store a table of them and check against them for possible hijacking or whatever.
如果它不是唯一的,我应该如何执行唯一性?我宁愿使用 PHP 配置来实现它,而不是在我制作的每个脚本中.PHP session 的好处是不用担心幕后的技术细节.
If it isn't unique, how should I go about enforcing uniqueness? I'd rather implement it using PHP configuration than in every script I make. Nice thing about PHP sessions is not worrying about the technical details behind the scenes.
推荐答案
如果您想知道 PHP 如何默认生成会话 ID,请查看 Github.它当然不是随机的并且基于这些成分的散列(默认值:md5)(参见代码片段的第 310 行):
If you want to know how PHP generates a session ID by default check out the source code on Github. It is certainly not random and is based on a hash (default: md5) of these ingredients (see line 310 of code snippet):
- 客户端的IP地址
- 当前时间
- PHP 线性同余生成器 - 一个伪随机数生成器 (PRNG)
- 特定于操作系统的随机源 - 如果操作系统有可用的随机源(例如/dev/urandom)
- IP address of the client
- Current time
- PHP Linear Congruence Generator - a pseudo random number generator (PRNG)
- OS-specific random source - if the OS has a random source available (e.g. /dev/urandom)
如果操作系统有可用的随机源,那么作为会话 ID 生成的 ID 的强度很高(/dev/urandom 和其他操作系统随机源(通常)是加密安全的 PRNGs).然而,如果它没有,那么它是令人满意的.
If the OS has a random source available then strength of the generated ID for the purpose of being a session ID is high (/dev/urandom and other OS random sources are (usually) cryptographically secure PRNGs). If however it does not then it is satisfactory.
会话标识生成的目标是:
The goal with session identification generation is to:
- 最小化生成具有相同值的两个会话 ID 的概率
- 使生成随机密钥并命中使用中的密钥在计算上变得非常具有挑战性.
这是通过 PHP 的会话生成方法实现的.
This is achieved by PHP's approach to session generation.
你不能绝对保证唯一性,但是两次命中同一个哈希的概率很低,一般来说,不值得担心.
You cannot absolutely guarantee uniqueness, but the probabilities are so low of hitting the same hash twice that it is, generally speaking, not worth worrying about.
这篇关于PHP 会话 ID——它们是如何生成的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
