Reputation: 20444
PHP secure session by unique identifier
New to sessions and just wondering if there is any possible that if (in our case) two bookings are being processed at the same time the session variables can get confused.
For example if user 1 makes a booking, the information stays in sessions while he logs in. Meanwhile another user makes a booking who is already logged in. Is their any chance that the sessions could get confused.
If the answer is yes, would the solution be to have a unique temporary name as part of the session names a bit like TMP name in file upload.
And if so, how to do it.
Many Thanks,
Upvotes: 1
Views: 668
Answers (4)
Reputation: 3185
I believe the UID (what php assigns as a session ID) is randomly generated off of the server time, so the answer is no. No two people will be assigned the same UID.
Upvotes: 3
Reputation: 157860
Just to extend Marc's answer a bit.
A possibility he is talking about is very similar to a possibility to be killed by meteorite from space.
So, in practice the answer is NO. You can rely on big numbers like everyone else does
Upvotes: 0
Reputation: 360612
Session IDs are essentially just random numbers. It's HIGHLY unlikely, but NOT impossible for two or more users to get the same session ID.
PHP does (I believe) check if there's another session currently using the ID it's just generated. If there's a collision, it'll just generate another one, and keep trying until something "unique" comes up. However, this doesn't prevent the case where:
- user A gets session ID 'X'
- user A goes away for a while and session 'X' gets expired
- user B shows up, and the server generates session ID 'X' again by random chance
- user A comes back with their original session X cookie ID and gets user B's session.
Again, given the size of the session ID space, it's very very very unlikely for this to occur. But also again, it's not impossible.
Beyond that, there are cases where broken/misconfigured proxy servers get cookies confused and basically 'cross wires' so that session IDs get mixed up between different users. I remember a case where a mobile operator's gateway did just that, and people on a certain model of smartphone were getting other people's sessions instead of the one they'd been on.
Upvotes: 0
Reputation: 3126
I don't see how the sessions could get confused. The server generates a unique session id for that user's session. On each page request the user's browser sends the session id to the server and the server validates that it's a valid session.
As long as the session ids are unique and the user doesn't discover another user's session id, then there is no rom for confusion.
Upvotes: 0
Related Questions
- How to make secure sessions?
- How to generate a unique session ID in php
- PHP session management by id
- Working with Security and Sessions, is this secure enough?
- Securing PHP $_SESSION data?
- Session security using session_id
- how to use session ids for authentication purpose
- PHP Session ID uniqueness (for use in a cookie)
- securing session id
- Implementing Security on Sessions