are PHP auto-generated Session ID's locked on IP address?

Question

I read on a other Stackoverflow article that Session ID's in PHP are generated based on:

IP address of the client
Current time
PHP Linear Congruence Generator - a pseudo random number generator (PRNG)
OS-specific random source - if the OS has a random source available (e.g. /dev/urandom)

I could not find an awnser on the web to the question if these Session ID's are only usable with the IP used in the generation.

Seems most likely to me, but can anyone confirm?

The other article is most likely https://stackoverflow.com/questions/18937651/php-session-ids-how-are-they-generated — Andy Lester, Jan 29 '18 at 22:19

score 1 · Accepted Answer · answered Dec 03 '14 at 13:17

1

No, they definitely aren't "locked" to the IP address. For many users that wouldn't work as their web traffic goes through proxies and such so their IP address may be different to the server for each separate request.

answered Dec 03 '14 at 13:17

Michael Chaney

2,911
19
26

are PHP auto-generated Session ID's locked on IP address?

1 Answers1