What does `session.entropy_length` in `PHP.ini` do?

Question

In the session section of PHP.ini there is a directive called session.entropy_length.

I'm aware that it's used to make the generation of the session id more random.

How does it do that?

What is the maximum length?

What if it's exceeding the bits of the hash in use?

score -2 · Answer 1 · answered Jan 23 '16 at 17:25

-2

session.entropy_length specifies the number of bytes which will be read from the file specified above. Defaults to 0 (disabled).

The "file mentioned above" is session.entropy_file

'entropy' for sessions is related to the randomness of session id values

answered Jan 23 '16 at 17:25

Tocacar

2

We know what's in the docs, but the docs aren't very helpful with this. I think the OP is trying to get more feeling for how to use it: What values make sense (aren't too large or too small)? How does the value relate to other settings like the hash type? What's a good value to use, and why wouldn't one use a higher value if it's allowed? Assuming the PHP team generally sets defaults for a reasonable level of security out-of-the-box, why is the default on this zero; isn't that a compromise of security? – mr. w Feb 18 '16 at 23:18

1 Answers1