PHP会话ID - 它们是如何生成的？ [英] PHP session IDs -- how are they generated?

问题描述

当我调用 session_start（）或 session_regenerate_id（）时，PHP会生成似乎是一个随机字符串会话ID。我想知道的是，它只是一个随机的字符序列，还是像 uniqid（） function？

When I call session_start() or session_regenerate_id(), PHP generates what appears to be a random string for the session ID. What I want to know is, is it just a random sequence of characters, or is it like the uniqid() function?

因为如果它只是随机字符，你理论上不会遇到冲突？如果用户A登录，然后用户B登录，并且虽然极不可能，用户B生成相同的会话ID，然后用户B将最终访问用户A的帐户。

Because if it's just random characters, couldn't you theoretically run into a conflict? If User A logged in and then User B logged in and, though highly unlikely, User B generated the same session ID, then User B would end up accessing User A's account.

即使PHP检查是否已经存在具有相同ID的会话，如果是，则再次重新生成ID ...我不认为我想要一个系统，即使在垃圾收集后也会生成相同的ID两次 - - 也许我想存储一个表，并检查他们可能的劫持或任何。

Even if PHP checks to see if a session with the same ID already exists and, if so, regenerates an ID again... I don't think I want a system that EVER produces the same ID twice, even after garbage collection -- maybe I want to store a table of them and check against them for possible hijacking or whatever.

如果它不是唯一的，我应该如何强制执行唯一性？我宁愿实现它使用PHP配置比我在每个脚本。

If it isn't unique, how should I go about enforcing uniqueness? I'd rather implement it using PHP configuration than in every script I make. Nice thing about PHP sessions is not worrying about the technical details behind the scenes.

推荐答案

如果你想知道PHP如何生成一个会话ID默认情况下检查 Github 上的源代码。 当然不是随机，基于这些成分的散列（默认值：md5）（请参阅代码段第310行）：

If you want to know how PHP generates a session ID by default check out the source code on Github. It is certainly not random and is based on a hash (default: md5) of these ingredients (see line 310 of code snippet):

1. IP地址。


2. 当前时间 PHP线性一致性生成器 - 伪随机数生成器（PRNG）


3. 操作系统特定随机源源可用（例如/ dev / urandom）

1. IP address of the client
2. Current time
3. PHP Linear Congruence Generator - a pseudo random number generator (PRNG)
4. OS-specific random source - if the OS has a random source available (e.g. /dev/urandom)

如果操作系统有随机源，那么生成的ID的强度会话ID高（ / dev / urandom和其他OS随机源是（通常）密码安全的PRNG ）。然而，如果它不然，那是令人满意的。

If the OS has a random source available then strength of the generated ID for the purpose of being a session ID is high (/dev/urandom and other OS random sources are (usually) cryptographically secure PRNGs). If however it does not then it is satisfactory.

会话识别生成的目标是：

The goal with session identification generation is to:

1. 生成具有相同值的两个会话ID的概率


2. 使得计算生成随机密钥和使用中的密钥非常具有挑战性。

这是通过PHP的会话生成方法实现的。

This is achieved by PHP's approach to session generation.

你不能绝对保证唯一性，但概率是如此之低的打击相同的哈希两次，一般来说，不值得担心。

You cannot absolutely guarantee uniqueness, but the probabilities are so low of hitting the same hash twice that it is, generally speaking, not worth worrying about.

这篇关于PHP会话ID - 它们是如何生成的？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！