Length of a PHP SessionID....

[pavanpuligandla]

Hii..

can anyone provide information about the length of PHPSESSID?

i saw JSESSID is of 16 characters length and in my application PHPSESSID is of 26 characters,

but in gmail, i saw SID of above 100 characters..

 

does this session ID length has any prominence?

please post detailed session ID information like,

how many characters can a PHPSESSID contain?

are there any security vulnerabilities if sessid is small?

 

Many Thanks,

Pavan.P

 

[dezkit]

i think the php.ini file

[pavanpuligandla]

hiii,,

i read the php.ini file ,,

but not yet clear about length of session ID..

;session.entropy_length = 16

can u elaborate the description..

[xtopolis]

If the sessionid is being passed via the URL it can be quite large, as large as the url allows, and the browser can understand.

[src: http://www.boutell.com/newfaq/misc/urllength.html]

But I didn't check if PHP has a limit it can read.!

 

If it's in a cookie, i'm not sure, but i assume as big as a $var can hold when you retrieve it from... the max being the size limit per domain in cookies...

 

How big?: "Short" to "Very long"

security vulnerabilities if small?: Easier to guess if trying to hijack.. but really, if you use the session as a short term thing like it's made to be, you shouldn't have many problems at all.

[pavanpuligandla]

hii

thnx for the comeback.. i'm including this php script which will md5's the sid, is it a secured one?

<?php

/*
  SecureSession class
  Written by Vagharshak Tozalakyan <vagh@armdex.com>
  Released under GNU Public License
*/

class SecureSession
{
    // Include browser name in fingerprint?
    var $check_browser = true;

    // How many numbers from IP use in fingerprint?
    var $check_ip_blocks = 2;

    // Control word - any word you want.
    var $secure_word = 'FUNDAMENTALS';

    // Regenerate session ID to prevent fixation attacks?
    var $regenerate_id = true;

    // Call this when init session.
    function Open()
    {
        $_SESSION['ss_fprint'] = $this->_Fingerprint();
        $this->_RegenerateId();
    }

    // Call this to check session.
    function Check()
    {
        $this->_RegenerateId();
        return (isset($_SESSION['ss_fprint']) && $_SESSION['ss_fprint'] == $this->_Fingerprint());
    }

    // Internal function. Returns MD5 from fingerprint.
    function _Fingerprint()
    {
        $fingerprint = $this->secure_word;
        if ($this->check_browser) {
            $fingerprint .= $_SERVER['HTTP_USER_AGENT'];
        }
        if ($this->check_ip_blocks) {
            $num_blocks = abs(intval($this->check_ip_blocks));
            if ($num_blocks > 4) {
                $num_blocks = 4;
            }
            $blocks = explode('.', $_SERVER['REMOTE_ADDR']);
            for ($i = 0; $i < $num_blocks; $i++) {
                $fingerprint .= $blocks[$i] . '.';
            }
        }
        return md5($fingerprint);
    }

    // Internal function. Regenerates session ID if possible.
    function _RegenerateId()
    {
        if ($this->regenerate_id && function_exists('session_regenerate_id')) {
            if (version_compare('5.1.0', phpversion(), '>=')) {
                session_regenerate_id(true);
            } else {
                session_regenerate_id();
            }
        }
    }
}

?>