1

I read that a session ID is created using an algorithm that permits to have a tiny probability to get two equal IDs. But what happens if I get two equal ones? I don't really know how sessions work, but I imagine that I would be able to access to the data stored in the $_SESSION array of the person that has the same ID.
In this case, that wouldn't be a positive thing. Is it possible to have a really unique session ID?
Thanks!

DamiToma
  • 921
  • 3
  • 9
  • 27
  • 2
    The probability is so very low that you shouldn't waste another electron worrying about it. – Jay Blanchard Apr 05 '17 at 13:13
  • 7
    You go out and buy a lottery ticket that week – Mark Baker Apr 05 '17 at 13:14
  • 1
    Humans have a terrible intuition about probabilities. "Tiny probability" is a mathematical truth, but it does not mean that it will ever happen in practice. – deceze Apr 05 '17 at 13:17
  • It would probably confuse the heck out of the 2 users in question. They would both logoff and login again. Then you could wait for another 1000 years for the next one to happen – RiggsFolly Apr 05 '17 at 13:19
  • You could create a browser or IP address "fingerprint" and store that with the session variable - recreate that "fingerprint" at session start and if it doesn't matched the stored version, respawn the session. This is likely to be more problematic than the odds of session duplication though... (I've found AOL does some really weird stuff if you try and fingerprint their browser - especially moving between http and https) – CD001 Apr 05 '17 at 13:21
  • 1
    @RiggsFolly: 1000 years sounds pretty optimistic. I suspect the probability is more analogous to that of quantum tunneling causing one of the two users' hands to pass right through their mouse and being unable to use the browser anyway. – David Apr 05 '17 at 13:22
  • 1
    @David Oooo I need to look up `quantum tunneling` that sounds like fun. With luck maybe the 2 user could actually hold hand :) – RiggsFolly Apr 05 '17 at 13:23
  • @RiggsFolly: There exists a non-zero possibility. Quantum physics teaches us that anything can happen at any time for no reason at all :) – David Apr 05 '17 at 13:24
  • @David Ahh now that happens to me all the time. Now I know what to blame :) I always thought it was the compilers picking on me :):) – RiggsFolly Apr 05 '17 at 13:26
  • There is a chance of deliberate session hijacking at a poorly secured open access point (coffee shop) so taking some precautions about 2 users having the same session id is not entirely in the realm of the tinfoil hat. – CD001 Apr 05 '17 at 13:29
  • 1
    @CD001 Outright session hijacking is a completely different topic and cannot be solved with anything but using an SSL connection. – deceze Apr 05 '17 at 13:37
  • @deceze even SSL is no guarantee if 2 users are on the same open wifi network - but yeah, different topic. – CD001 Apr 05 '17 at 13:57

1 Answers1

3

It is not very likely or probable that you will generate two equal session ID's. Though of course this will depend on the algorithm that was used to generate the ID's.

If you want to know how, for example PHP, sessions are generated, take a look here: PHP session IDs -- how are they generated? As you can read, these sessions are not entirely random and ingredients such as the user's IP address and time of issuance are used, limiting who can get the very unlikely equal session ID and when.

Furthermore you can limit an equal session ID to have effect, by limiting the session expiration time, allowed remote IP and domain for its usage.

Community
  • 1
  • 1
nl-x
  • 11,762
  • 7
  • 33
  • 61