I'm making a table in a MySQL database to save some session data, including session_id. What should be the length of the VARCHAR to store the session_id string?
Asked
Active
Viewed 6.0k times
5 Answers
40
Depends on session.hash_function and session.hash_bits_per_character.
Check out the session_id page for more info.
The higher you set session.hash_bits_per_character the shorter your session_id will become by using more bits per character. The possible values are 4, 5, or 6.
When using sha-1 for hashing (by setting ini_set('session.hash_function', 1) the following session string lengths are produced by the three session.hash_bits_per_character settings:
4 - 40 character string
5 - 32 character string
6 - 27 character string
-
So 40 character is a secure set, and if I want to save some bytes, I must check the php config, right? – Gustavo Sep 03 '12 at 01:26
-
Check php.ini to see what the settings are. 40 characters is the result of SHA-1 hash function and 4 bits per character. You can do `echo strlen(session_id());` to see the length and make your database field accordingly. – sachleen Sep 03 '12 at 02:46
-
3For reference, the session_id length will also be 32 if you use the MD5 hash function and 4 hash bits per character. That made me tear my hair out for a few hours today. – sevenseacat Jul 05 '13 at 09:06
-
2@GustavoPinent The number of characters has no security implications, only the hash function with its inherent hash size. How you encode that hash is just a matter of what serializations the transport or storage systems require. Theoretically, you could encode a SHA1 in just 20 bytes with a simple bitfield. Unfortunately, cookies and URIs (common transports) support only characters, and depending on which charset and character encoding you can use you'll have serialization overhead; double with 4 bits/char (implied here is that characters are 8 bits long -- the other 4 bits are wasted). – tne Dec 21 '15 at 11:47
-
2As of PHP 7.1.0, there is [`session.sid_length`](https://www.php.net/manual/en/session.configuration.php#ini.session.sid-length) instead of `session.hash_function` and `session.hash_bits_per_character`. – Marten Koetsier Mar 08 '20 at 15:16
35
@sachleen answer isn't full.
More detailed info about session id length is described here.
Summary:
128-bit digest (MD5)
4 bits/char: 32 char SID
5 bits/char: 26 char SID
6 bits/char: 22 char SID
160-bit digest (SHA-1)
4 bits/char: 40 char SID
5 bits/char: 32 char SID
6 bits/char: 27 char SID
And sample regex to check session id:
preg_match('/^[a-zA-Z0-9,-]{22,40}$/', $sessionId)
Andron
- 6,413
- 4
- 43
- 56
3
It depends on these configuration settings: session.hash_function and session.hash_bits_per_character
Shorter session ID lengths have the higher chance of collision, but this also depends a lot on the ID generation algorithm. Given the default settings, the length of the session ID should be appropriate for most applications. For higher-security implementations, you may consider looking into how PHP generates its session IDs and check whether it's cryptographically secure. If it isn't, then you should roll your own algorithm with a cryptographically secure source of randomness.
John Woo
- 258,903
- 69
- 498
- 492
-
3The chance of collision is entirely determined by hash function, entropy used, and volume of traffic. Using a more secure hashing function will produce a larger session ID string, so if that's what you meant by shorter session ID lengths having a higher chance of collision, then you're correct, but shortening that length by using a higher bit depth per character will have no effect. – Jason Jun 11 '13 at 03:58
-
1Is 128 characters long session id an overkill for generic web application? – TheFrost Apr 26 '14 at 12:19
1
By the regular php installation length is always 26 (exmp: psprdaccghmmre1oo2eg0tnpe6)
Gocha
- 87
- 1
- 1
- 7
1
As of PHP 7.1 if using session_create_id() the default session id length is 32 characters, however a user can change this default in php.ini
See the php.ini setting session.sid_length
Baxny
- 576
- 7
- 12