For example, if two hosts arrive a server at the same time
(microtime), and using the same IP via NAT, and may be even lucky
enough to have the same random number
How PHP make them to use different session ID?
or in fact PHP session is not 100% safe enought?
thanks. 14 6804
howa wrote:
For example, if two hosts arrive a server at the same time
(microtime), and using the same IP via NAT, and may be even lucky
enough to have the same random number
How PHP make them to use different session ID?
or in fact PHP session is not 100% safe enought?
thanks.
Hi Howa,
As fas as I know PHP doesn't take precautions for that.
A typical sessionid consists of 31 or so characters, ranging from:
0-9 and a-z: that is 37 possibilities per character.
So you'll end up with 37^31
You might very well find that the chances of accidentically creating the
same sessionid are equal to the chance you win the lottery 100 times in a
row, without ever buying a ticket, but finding them on the street.
So as far as I can see: there is no need to worry.
Regards,
Erwin Moller
PS: I don't think the IP address is of importance when creating a sessionid.
it is not a problem of easy or difficult, but a chance ...
consider you put money in bank and if other might take your session,
even the probability is 0.00000001%, we still want to avoid it....
or we need to find a better method to assign the session id, e.g. keep
track of the session id in database
On 6 23 , 7 03 , Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
howa wrote:
For example, if two hosts arrive a server at the same time
(microtime), and using the same IP via NAT, and may be even lucky
enough to have the same random number
How PHP make them to use different session ID?
or in fact PHP session is not 100% safe enought?
thanks.
Hi Howa,
As fas as I know PHP doesn't take precautions for that.
A typical sessionid consists of 31 or so characters, ranging from:
0-9 and a-z: that is 37 possibilities per character.
So you'll end up with 37^31
You might very well find that the chances of accidentically creating the
same sessionid are equal to the chance you win the lottery 100 times in a
row, without ever buying a ticket, but finding them on the street.
So as far as I can see: there is no need to worry.
Regards,
Erwin Moller
PS: I don't think the IP address is of importance when creating a sessionid.
I've never used the PHP sessions (my code assigns its own session IDs).
The particular approach I use to ensure uniqueness is to concatenate time,
microtime, and PID, and then to spinlock until the microtime changes. This
works because no two processes can have the same PID at the same time.
As Herr Moller pointed out, IP isn't directly involved in session ID.
However, when a session is opened on my systems, there is some server-side
state held to remember the session and related data, including the IP. If
there is another connection made using the same session ID from a different
IP, the software assumes that it is a forgery, kills the session(s)
involved, and writes alarming things in the logfiles.
I don't know what security best practices are for sessions, but I think if
the IP changes during a session it would be unusual.
Dave.
"howa" <ho******@gmail.comwrote in message
news:11*********************@e9g2000prf.googlegrou ps.com...
it is not a problem of easy or difficult, but a chance ...
consider you put money in bank and if other might take your session,
even the probability is 0.00000001%, we still want to avoid it....
or we need to find a better method to assign the session id, e.g. keep
track of the session id in database
On 6 23 , 7 03 , Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
>howa wrote:
For example, if two hosts arrive a server at the same time
(microtime), and using the same IP via NAT, and may be even lucky
enough to have the same random number
How PHP make them to use different session ID?
or in fact PHP session is not 100% safe enought?
thanks.
Hi Howa,
As fas as I know PHP doesn't take precautions for that. A typical sessionid consists of 31 or so characters, ranging from: 0-9 and a-z: that is 37 possibilities per character.
So you'll end up with 37^31
You might very well find that the chances of accidentically creating the same sessionid are equal to the chance you win the lottery 100 times in a row, without ever buying a ticket, but finding them on the street.
So as far as I can see: there is no need to worry.
Regards, Erwin Moller
PS: I don't think the IP address is of importance when creating a sessionid.
On 6 23 , 11 35 , "David T. Ashley" <d...@e3ft.comwrote:
The particular approach I use to ensure uniqueness is to concatenate time,
microtime, and PID, and then to spinlock until the microtime changes. This
works because no two processes can have the same PID at the same time.
yes, your method seem more reliable than PHP implementation...
but will it work on multi-thread web server, e.g. apache2?
"howa" <ho******@gmail.comwrote in message
news:11**********************@i38g2000prf.googlegr oups.com...
On 6 23 , 11 35 , "David T. Ashley" <d...@e3ft.comwrote:
>The particular approach I use to ensure uniqueness is to concatenate time, microtime, and PID, and then to spinlock until the microtime changes. This works because no two processes can have the same PID at the same time.
yes, your method seem more reliable than PHP implementation...
but will it work on multi-thread web server, e.g. apache2?
My understanding would be that it won't work if a server is truly
multi-threaded.
My assumption is that each process is single-threaded, and that the http
server farms things out so that each PHP script running at any instant in
time has only one PID.
If threads are involved, that complicates things.
One would then need to use a different method entirely or also add some kind
of a thread identifier.
Dave.
--
David T. Ashley (dt*@e3ft.com) http://www.e3ft.com (Consulting Home Page) http://www.dtashley.com (Personal Home Page) http://gpl.e3ft.com (GPL Publications and Projects)
howa wrote:
it is not a problem of easy or difficult, but a chance ...
consider you put money in bank and if other might take your session,
even the probability is 0.00000001%, we still want to avoid it....
or we need to find a better method to assign the session id, e.g. keep
track of the session id in database
On 6 23 , 7 03 , Erwin Moller
<since_humans_read_this_I_am_spammed_too_m...@spam yourself.comwrote:
>howa wrote:
>>For example, if two hosts arrive a server at the same time (microtime), and using the same IP via NAT, and may be even lucky enough to have the same random number How PHP make them to use different session ID? or in fact PHP session is not 100% safe enought? thanks.
Hi Howa,
As fas as I know PHP doesn't take precautions for that. A typical sessionid consists of 31 or so characters, ranging from: 0-9 and a-z: that is 37 possibilities per character.
So you'll end up with 37^31
You might very well find that the chances of accidentically creating the same sessionid are equal to the chance you win the lottery 100 times in a row, without ever buying a ticket, but finding them on the street.
So as far as I can see: there is no need to worry.
Regards, Erwin Moller
PS: I don't think the IP address is of importance when creating a sessionid.
There are no absolutes in computers. All there are are probabilities.
You just have to lower the probabilities enough so that they aren't a
problem.
For a website with 37^31 possibilities, I would think anything 1B
hits/sec. should be sufficient.
If you want true security, you need to use irrational numbers (or
similar) for your key. Of course, an irrational number never ends and
never repeats, so you may have a hard time sending that value over the
connection.
Anything else can be duplicated.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
..oO(David T. Ashley)
>However, when a session is opened on my systems, there is some server-side state held to remember the session and related data, including the IP. If there is another connection made using the same session ID from a different IP, the software assumes that it is a forgery, kills the session(s) involved, and writes alarming things in the logfiles.
This might lead to many false alarms. An IP is not unique to a
particular visitor.
Micha
..oO(howa)
>For example, if two hosts arrive a server at the same time (microtime), and using the same IP via NAT, and may be even lucky enough to have the same random number
Very unlikely.
>How PHP make them to use different session ID?
Don't know, probably nothing because it won't happen.
>or in fact PHP session is not 100% safe enought?
A session ID is a hash. By definition hashes can _never_ be 100% unique,
but the chance of a collision is small enough to be considered safe. If
that's not enough for you, then you have to implement some additional
checks, for example a new session ID and a forced re-login before doing
some critical operations.
Micha
David T. Ashley wrote:
I've never used the PHP sessions (my code assigns its own session IDs).
The particular approach I use to ensure uniqueness is to concatenate time,
microtime, and PID, and then to spinlock until the microtime changes. This
works because no two processes can have the same PID at the same time.
As Herr Moller pointed out, IP isn't directly involved in session ID.
However, when a session is opened on my systems, there is some server-side
state held to remember the session and related data, including the IP. If
there is another connection made using the same session ID from a different
IP, the software assumes that it is a forgery, kills the session(s)
involved, and writes alarming things in the logfiles.
I don't know what security best practices are for sessions, but I think if
the IP changes during a session it would be unusual.
Dave.
It is actually quite common for an IP to change during a session - for
instance, AOL users have a "round robin" proxy system which picks the
least busy proxy at the time the request is being made. Many large
corporations have similar.
And, of course, dynamic addresses can change at any time; some ISP's run
leases as short as 1 hour.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:tZ******************************@comcast.com. ..
David T. Ashley wrote:
>I've never used the PHP sessions (my code assigns its own session IDs).
The particular approach I use to ensure uniqueness is to concatenate time, microtime, and PID, and then to spinlock until the microtime changes. This works because no two processes can have the same PID at the same time.
As Herr Moller pointed out, IP isn't directly involved in session ID. However, when a session is opened on my systems, there is some server-side state held to remember the session and related data, including the IP. If there is another connection made using the same session ID from a different IP, the software assumes that it is a forgery, kills the session(s) involved, and writes alarming things in the logfiles.
I don't know what security best practices are for sessions, but I think if the IP changes during a session it would be unusual.
Dave.
It is actually quite common for an IP to change during a session - for
instance, AOL users have a "round robin" proxy system which picks the
least busy proxy at the time the request is being made. Many large
corporations have similar.
And, of course, dynamic addresses can change at any time; some ISP's run
leases as short as 1 hour.
Thanks for the heads up. It would have EVENTUALLY come out in testing with
users getting tossed, but better to know this in advance.
Makes sense.
I will change my code accordingly.
--
David T. Ashley (dt*@e3ft.com) http://www.e3ft.com (Consulting Home Page) http://www.dtashley.com (Personal Home Page) http://gpl.e3ft.com (GPL Publications and Projects)
There are no absolutes in computers. All there are are probabilities.
>
You just have to lower the probabilities enough so that they aren't a
problem.
For a website with 37^31 possibilities, I would think anything 1B
hits/sec. should be sufficient.
I think keep track of session Id current assigned would be a safe
solution (e.g. write the Id into the DB, with proper locking or unique
constraints, collision won't occur)
David T. Ashley wrote:
I don't know what security best practices are for sessions, but I think if
the IP changes during a session it would be unusual.
Not particularly unusual. My office has three ADSL connections with
different IPs, and a load-balancing router. If a user in the office made
two page requests from your site, there is a 67% chance that they would
come from different IP addresses.
Such a network configuration is not particularly unusual. Many routers
aimed at offices of 50-200 people allow for load balancing between two or
more Internet connections.
--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 3 days, 19:41.]
A New Look for TobyInkster.co.uk http://tobyinkster.co.uk/blog/2007/06/22/new-look/
>or in fact PHP session is not 100% safe enought?
>
A session ID is a hash. By definition hashes can _never_ be 100% unique,
Not entirely true. Generating the hash is not guaranteed to be unique,
but you can check if it already exists and generate another if it does.
I searched the documentation and could not find anything on uniqueness
of session IDs. If somebody has some more info, please point us to it.
Best regards,
--
Willem Bogaerts
Application smith
Kratz B.V. http://www.kratz.nl/
yes
so assuming we don't know the uniqueness of PHP session, we can
implement those stuffs ourself if we really want to...
On 6 25 , 2 56 , Willem Bogaerts
<w.bogae...@kratz.maardanzonderditstuk.nlwrote:
or in fact PHP session is not 100% safe enought?
A session ID is a hash. By definition hashes can _never_ be 100% unique,
Not entirely true. Generating the hash is not guaranteed to be unique,
but you can check if it already exists and generate another if it does.
I searched the documentation and could not find anything on uniqueness
of session IDs. If somebody has some more info, please point us to it.
Best regards,
--
Willem Bogaerts
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Brad |
last post by:
Hi everyone,
I've been using ASP on a few different projects over the past year, either
using Javascript or VBScript. During that time, I've made use of session
variables, but even then, I've...
|
by: Julia |
last post by:
Hi,
I have the following scenario
Page A.asp call page B.asp
Page B.asp need to load page C.asp make some changes and return
the result to IE
when A.asp is first running IIS create a...
|
by: Jon |
last post by:
I think I've found my problem, but not sure what to do about it.
In the application_start, I have an operation that is erroring (on purpose
for my testing procedures). In the Application_error...
|
by: chalres |
last post by:
what is different between session and session token?
that's i need to know...is it called Session?
|
by: Sjaakie |
last post by:
Hi,
Is HttpContext.Current.User unique for each visitor or is it shared
across an application?
Have some problems that might have to do with this and found
contradictory answers on this...
|
by: desh |
last post by:
helo friends
I m newbie in PHP . I m not able to know what exactly the use of
session is. How can one keep the track of users using Session..
Desh
|
by: prof_martin |
last post by:
Hi,
I'm using .net 1.1. I have ASP.Net appl, shopping cart ,with dataset on
sesion. Dataset here to store all selected items, sesion timeout 120 mins.
Problem is, I got report that: user A...
|
by: cendrizzi |
last post by:
Hi all,
I've read some stuff on this but can't seem to come up with a solution
that works right. I have a semi-mature (yet very large and robust)
internal web application that currently only...
|
by: BillE |
last post by:
Some ASP.NET applications use Session Variables extensively to maintain
state.
These should be re-written to use viewstate, hidden fields, querystring,
etc. instead.
This is because if a user...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: ryjfgjl |
last post by:
In our work, we often need to import Excel data into databases (such as MySQL, SQL Server, Oracle) for data analysis and processing. Usually, we use database tools like Navicat or the Excel import...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
| |