0

So brief background, we have 8 apache web servers that use a shared NFS drive where the PHP session are stored, instead of suing sticky session on a load-balancer etc. We get traffic in excess of with over 100k unique visitors per day.

So my question is given the nature of this stack is it probable that multiple users could be assigned the same session ID and potentially vulnerable to 1 users being assigned the same session as another user?

PsyberPixie
  • 3
  • 1
  • You should not worry about collisions between session IDs generated on different machines. The session ID generation algorithm uses the machine's IP besides current time and a random number. (http://stackoverflow.com/questions/18937651/php-session-ids-how-are-they-generated) – Sergiu Paraschiv Jun 19 '14 at 10:35
  • There obviously is the issue of md5 collisions, but you _can_ improve entropy: http://www.php.net/manual/en/session.configuration.php#ini.session.hash-function – Sergiu Paraschiv Jun 19 '14 at 10:39

1 Answers1

1

Its very rare, but yes, it can happen... i would suggest using cookies and not sessions, less server load and this wont happen.

http://forge.typo3.org/issues/37780

Dima
  • 8,586
  • 4
  • 28
  • 57