pavanpuligandla Posted September 26, 2008 Share Posted September 26, 2008 Hii.. can anyone provide information about the length of PHPSESSID? i saw JSESSID is of 16 characters length and in my application PHPSESSID is of 26 characters, but in gmail, i saw SID of above 100 characters.. does this session ID length has any prominence? please post detailed session ID information like, how many characters can a PHPSESSID contain? are there any security vulnerabilities if sessid is small? Many Thanks, Pavan.P Link to comment https://forums.phpfreaks.com/topic/125889-length-of-a-php-sessionid/ Share on other sites More sharing options...
dezkit Posted September 26, 2008 Share Posted September 26, 2008 i think the php.ini file Link to comment https://forums.phpfreaks.com/topic/125889-length-of-a-php-sessionid/#findComment-650960 Share on other sites More sharing options...
pavanpuligandla Posted September 26, 2008 Author Share Posted September 26, 2008 hiii,, i read the php.ini file ,, but not yet clear about length of session ID.. ;session.entropy_length = 16 can u elaborate the description.. Link to comment https://forums.phpfreaks.com/topic/125889-length-of-a-php-sessionid/#findComment-650966 Share on other sites More sharing options...
xtopolis Posted September 26, 2008 Share Posted September 26, 2008 If the sessionid is being passed via the URL it can be quite large, as large as the url allows, and the browser can understand. [src: http://www.boutell.com/newfaq/misc/urllength.html] But I didn't check if PHP has a limit it can read.! If it's in a cookie, i'm not sure, but i assume as big as a $var can hold when you retrieve it from... the max being the size limit per domain in cookies... How big?: "Short" to "Very long" security vulnerabilities if small?: Easier to guess if trying to hijack.. but really, if you use the session as a short term thing like it's made to be, you shouldn't have many problems at all. Link to comment https://forums.phpfreaks.com/topic/125889-length-of-a-php-sessionid/#findComment-650972 Share on other sites More sharing options...
pavanpuligandla Posted September 26, 2008 Author Share Posted September 26, 2008 hii thnx for the comeback.. i'm including this php script which will md5's the sid, is it a secured one? <?php /* SecureSession class Written by Vagharshak Tozalakyan <[email protected]> Released under GNU Public License */ class SecureSession { // Include browser name in fingerprint? var $check_browser = true; // How many numbers from IP use in fingerprint? var $check_ip_blocks = 2; // Control word - any word you want. var $secure_word = 'FUNDAMENTALS'; // Regenerate session ID to prevent fixation attacks? var $regenerate_id = true; // Call this when init session. function Open() { $_SESSION['ss_fprint'] = $this->_Fingerprint(); $this->_RegenerateId(); } // Call this to check session. function Check() { $this->_RegenerateId(); return (isset($_SESSION['ss_fprint']) && $_SESSION['ss_fprint'] == $this->_Fingerprint()); } // Internal function. Returns MD5 from fingerprint. function _Fingerprint() { $fingerprint = $this->secure_word; if ($this->check_browser) { $fingerprint .= $_SERVER['HTTP_USER_AGENT']; } if ($this->check_ip_blocks) { $num_blocks = abs(intval($this->check_ip_blocks)); if ($num_blocks > 4) { $num_blocks = 4; } $blocks = explode('.', $_SERVER['REMOTE_ADDR']); for ($i = 0; $i < $num_blocks; $i++) { $fingerprint .= $blocks[$i] . '.'; } } return md5($fingerprint); } // Internal function. Regenerates session ID if possible. function _RegenerateId() { if ($this->regenerate_id && function_exists('session_regenerate_id')) { if (version_compare('5.1.0', phpversion(), '>=')) { session_regenerate_id(true); } else { session_regenerate_id(); } } } } ?> Link to comment https://forums.phpfreaks.com/topic/125889-length-of-a-php-sessionid/#findComment-650975 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.