By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
439,977 Members | 1,352 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 439,977 IT Pros & Developers. It's quick & easy.

uniqueness of session

P: n/a

If two PCs from the same router connects to my web server, will unique
session IDs be generated for each connection?

In fact, is there an article talking about how PHP generates session
cookies?

--
iTech Consulting Services Limited
Expert of ePOS solutions
Website: http://www.itech.com.hk (IE only)
Tel: (852)2325 3883 Fax: (852)2325 8288
Apr 26 '07 #1
Share this Question
Share on Google+
10 Replies


P: n/a
Man-wai Chang wrote:
>
If two PCs from the same router connects to my web server, will unique
session IDs be generated for each connection?

In fact, is there an article talking about how PHP generates session
cookies?
No article I know of. But you will get two different session id's.

You'll also get two session id's if the user uses two different browsers
(i.e. IE and Firefox) from the same computer.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Apr 26 '07 #2

P: n/a
No article I know of. But you will get two different session id's.
You'll also get two session id's if the user uses two different browsers
(i.e. IE and Firefox) from the same computer.
Thanks. Guess I have to read the source codes of PHP to find it out then
.... :)

--
iTech Consulting Services Limited
Expert of ePOS solutions
Website: http://www.itech.com.hk (IE only)
Tel: (852)2325 3883 Fax: (852)2325 8288
Apr 26 '07 #3

P: n/a
Man-wai Chang wrote:
>No article I know of. But you will get two different session id's.
You'll also get two session id's if the user uses two different
browsers (i.e. IE and Firefox) from the same computer.

Thanks. Guess I have to read the source codes of PHP to find it out then
... :)
It has nothing to do with the source code for PHP. It's how browsers work.

The browser keeps track of the session id, generally in a cookie (if
cookies aren't supported PHP uses the GET parameters). Two different
computers cannot share the same cookie - and therefore the same session id.

It has nothing to do with ip addresses at all (which are not unique and
may change at any time).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Apr 26 '07 #4

P: n/a
On Apr 26, 4:52 am, Man-wai Chang <toylet.toy...@gmail.comwrote:
No article I know of. But you will get two different session id's.
You'll also get two session id's if the user uses two different browsers
(i.e. IE and Firefox) from the same computer.

Thanks. Guess I have to read the source codes of PHP to find it out then
... :)

--
iTech Consulting Services Limited
Expert of ePOS solutions
Website:http://www.itech.com.hk(IE only)
Tel: (852)2325 3883 Fax: (852)2325 8288
they are only statistically unique of course, but we are talking about
1 in 36^32 for php.
there have been various discussions about comparisons between .net php
j2ee session ids.
see here for instance on how to test their relative strengths:
http://www.owasp.org/index.php/How_t...with_WebScarab
and here for more on the security aspects of session identifiers, (as
of course the non collision is but one [solved] aspect)
http://www.owasp.org/index.php/Session_Management

Apr 26 '07 #5

P: n/a
Rik
Jerry Stuckle wrote:
Man-wai Chang wrote:
>>No article I know of. But you will get two different session id's.
You'll also get two session id's if the user uses two different
browsers (i.e. IE and Firefox) from the same computer.

Thanks. Guess I have to read the source codes of PHP to find it out
then ... :)

It has nothing to do with the source code for PHP. It's how browsers work.

The browser keeps track of the session id, generally in a cookie (if
cookies aren't supported PHP uses the GET parameters). Two different
computers cannot share the same cookie - and therefore the same session id.

It has nothing to do with ip addresses at all (which are not unique and
may change at any time).

To elaborate:
When you 'start' a session, and the browser hasn't given the server a
session-id, a new session will be created, of which the server knows
it's not currently in use. Different browsers on a computer cannot check
each others session-id's (well, they could, but that's not implemented
and probably never will be simply because it's not usefull). So they get
different ones. This also means a browser which doensn't accept and/or
get a session-id will make the server start a new session on every request.

Simplest way to view it: a _program_ (normally browser) is communicating
with the server, not your computer, or your router, or your modem.
Allthough some ill-advised people often want to make it appear
(/implement) as such.
--
Rik Wasmus

Estimated date being able to walk again: 01-05-2007.
Less then a week, hurray!
Apr 26 '07 #6

P: n/a
On Apr 26, 4:23 am, Man-wai Chang <toylet.toy...@gmail.comwrote:
If two PCs from the same router connects to my web server, will unique
session IDs be generated for each connection?

In fact, is there an article talking about how PHP generates session
cookies?

--
iTech Consulting Services Limited
Expert of ePOS solutions
Website:http://www.itech.com.hk(IE only)
Tel: (852)2325 3883 Fax: (852)2325 8288
answering a similar point - that of /can/ you use the same session
identifier on two browsers, the answer is yes for the most part. so if
your router is admin'd by someone you dont trust, it is more than
possible for the session id to be reused (replayed) so that your
session is active on two different machines. This is partly the reason
why the sessions space is so large, the sparseness of the space makes
session id prediction unlikely, the randomness adds to this
unlikeliness. But none of this prevents your session ID from being
reused, so if you have a hub somewhere on your network, you are
allowing other users to sniff your session ids, which are often used
as "authenticators" so allowing session hijacking.
all these concerns come into play and so you shouldn't really feel too
secure if you dont admin the router, or if your router is not patched
with the latest firmware, and is the reason why routers while often
ignored, are a vital consideration when considering security. toodle
pip. m

Apr 26 '07 #7

P: n/a
The INI setting session.use_cookies can be used to disable the use of
cookies for storing the session id remotely, and then I guess PHP will
just rely on the IP address and (probably) User-Agent header. In this
case, it may use the same session id for two computers under the same
router.

Apr 26 '07 #8

P: n/a
On Apr 26, 11:54 pm, Mike P2 <sumguyovrt...@gmail.comwrote:
The INI setting session.use_cookies can be used to disable the use of
cookies for storing the session id remotely, and then I guess PHP will
just rely on the IP address and (probably) User-Agent header. In this
case, it may use the same session id for two computers under the same
router.
in this case the application is responsible for maintaining state,
which means that if the appliaction does not send the sess id in the
url/hidden input/cookie and receive it and maintain it server side in
a file/database then a session wont be started/maintained.

Apr 26 '07 #9

P: n/a
The INI setting session.use_cookies can be used to disable the use of
cookies for storing the session id remotely, and then I guess PHP will
just rely on the IP address and (probably) User-Agent header. In this
case, it may use the same session id for two computers under the same
router.
It won't. Instead, PHP will rewrite your HTML output to inject the
session parameter in your forms, URLs, etc. So when you switch off
cookie-based session ID communication, PHP will try to use GET or POST.

Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/
Apr 27 '07 #10

P: n/a
On Apr 27, 8:09 am, Willem Bogaerts
<w.bogae...@kratz.maardanzonderditstuk.nlwrote:
The INI setting session.use_cookies can be used to disable the use of
cookies for storing the session id remotely, and then I guess PHP will
just rely on the IP address and (probably) User-Agent header. In this
case, it may use the same session id for two computers under the same
router.

It won't. Instead, PHP will rewrite your HTML output to inject the
session parameter in your forms, URLs, etc. So when you switch off
cookie-based session ID communication, PHP will try to use GET or POST.

this only happens if
session.use_trans_sid = 1
which it should not be (for security reasons)
allowing the rewriter to be active is a real issue, so for earlier
versions of php, yes this will come into play and various parts of the
html might be altered, but for later php versions, this doesnt happen,
which is much safer!

>
Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.http://www.kratz.nl/

Apr 27 '07 #11

This discussion thread is closed

Replies have been disabled for this discussion.