Is my understanding of PHP sessions correct?

Solution 1:

My understanding is of the internal session handling process is the following:

When session_start is called, PHP is looking for a parameter from the client that was sent via POST, GET, or in a cookie (depending on the configuration; see session.use_cookies, session.use_only_cookies, and session.use_trans_sid) with the name of the value of session.name to use the session ID of an already started session.

If it finds a valid session ID, it tries to retrieve the session data from the storage (see session.save_handler) to load the data into $_SESSION. If it can’t find an ID or its usage is forbidden, PHP generates a new ID using a hash function (see session.hash_function) on data of a source that generates random data (see session.entropy_file).

At the end of the runtime or when session_write_close is called, the session data in $_SESSION is stored away into the designated storage.

Solution 2:

Look at php_session_create_id in ext/session/session.c in the php source

It goes like this:

  • get time of day
  • get remote ip address
  • build a string with the seconds and microseconds from the current time, along with the IP address
  • feed that into configured session hash function (either MD5 or SHA1)
  • if configured, feed some additional randomness from an entropy file
  • generate final hash value

So getting a duplicate is pretty difficult. However, you should familiarise yourself with the concept of session fixation, which allows an attacker to potentially choose the session_id their target will adopt - see Sessions and Cookies for a good primer.

Solution 3:

The session ID is probably just a random string of letters and numbers. Also it would be strange if PHP didn't check to see that it is unique and therefore cannot be the same for two users. As for (1) and (2), I'd say you're correct, but I haven't worked with PHP recently, so feel free not to believe me.