I've been interested in how sessions work internally, but I have little knowledge of C (and am unsure where to look in the PHP source for this).
This is what I understand of sessions at the moment:
- When you start a session the user gets assigned a session id which is stored in a cookie.
- When session data is saved (via
$_SESSION
) it is stored on the filesystem, with the relevant session id and an expiry time.
Is this correct? Also what is the method in which session id are created? I assume it's based on time but what if two users send a request at the same time? What methods are in place internally to prevent them getting the same id?
Thanks,
-
My understanding is of the internal session handling process is the following:
When
session_start
is called, PHP is looking for a parameter from the client that was sent via POST, GET, or in a cookie (depending on the configuration; see session.use_cookies, session.use_only_cookies, and session.use_trans_sid) with the name of the value of session.name to use the session ID of an already started session.If it finds a valid session ID, it tries to retrieve the session data from the storage (see session.save_handler) to load the data into
$_SESSION
. If it can’t find an ID or its usage is forbidden, PHP generates a new ID using a hash function (see session.hash_function) on data of a source that generates random data (see session.entropy_file).At the end of the runtime or when
session_write_close
is called, the session data in$_SESSION
is stored away into the designated storage. -
The session ID is probably just a random string of letters and numbers. Also it would be strange if PHP didn't check to see that it is unique and therefore cannot be the same for two users. As for (1) and (2), I'd say you're correct, but I haven't worked with PHP recently, so feel free not to believe me.
-
Look at php_session_create_id in ext/session/session.c in the php source
It goes like this:
- get time of day
- get remote ip address
- build a string with the seconds and microseconds from the current time, along with the IP address
- feed that into configured session hash function (either MD5 or SHA1)
- if configured, feed some additional randomness from an entropy file
- generate final hash value
So getting a duplicate is pretty difficult. However, you should familiarise yourself with the concept of session fixation, which allows an attacker to potentially choose the session_id their target will adopt - see Sessions and Cookies for a good primer.
0 comments:
Post a Comment