uniqueness of session

If two PCs from the same router connects to my web server, will unique
session IDs be generated for each connection?

In fact, is there an article talking about how PHP generates session
cookies?

--
iTech Consulting Services Limited
Expert of ePOS solutions
Website: http://www.itech.com.hk (IE only)
Tel: (852)2325 3883 Fax: (852)2325 8288

> No article I know of. But you will get two different session id's.
> You'll also get two session id's if the user uses two different browsers
> (i.e. IE and Firefox) from the same computer.

Thanks. Guess I have to read the source codes of PHP to find it out then
.... :)

--
iTech Consulting Services Limited
Expert of ePOS solutions
Website: http://www.itech.com.hk (IE only)
Tel: (852)2325 3883 Fax: (852)2325 8288

Man-wai Chang wrote:
>
> If two PCs from the same router connects to my web server, will unique
> session IDs be generated for each connection?
>
> In fact, is there an article talking about how PHP generates session
> cookies?
>

No article I know of. But you will get two different session id's.

You'll also get two session id's if the user uses two different browsers
(i.e. IE and Firefox) from the same computer.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Man-wai Chang wrote:
>> No article I know of. But you will get two different session id's.
>> You'll also get two session id's if the user uses two different
>> browsers (i.e. IE and Firefox) from the same computer.
>
> Thanks. Guess I have to read the source codes of PHP to find it out then
> ... :)
>

It has nothing to do with the source code for PHP. It's how browsers work.

The browser keeps track of the session id, generally in a cookie (if
cookies aren't supported PHP uses the GET parameters). Two different
computers cannot share the same cookie - and therefore the same session id.

It has nothing to do with ip addresses at all (which are not unique and
may change at any time).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

On Apr 26, 4:52 am, Man-wai Chang <toylet.toy...@gmail.com> wrote:
> > No article I know of. But you will get two different session id's.
> > You'll also get two session id's if the user uses two different browsers
> > (i.e. IE and Firefox) from the same computer.
>
> Thanks. Guess I have to read the source codes of PHP to find it out then
> ... :)
>
> --
> iTech Consulting Services Limited
> Expert of ePOS solutions
> Website:http://www.itech.com.hk(IE only)
> Tel: (852)2325 3883 Fax: (852)2325 8288

they are only statistically unique of course, but we are talking about
1 in 36^32 for php.
there have been various discussions about comparisons between .net php
j2ee session ids.
see here for instance on how to test their relative strengths:
http://www.owasp.org/index.php/How_t...with_WebScarab
and here for more on the security aspects of session identifiers, (as
of course the non collision is but one [solved] aspect)
http://www.owasp.org/index.php/Session_Management

Jerry Stuckle wrote:
> Man-wai Chang wrote:
>>> No article I know of. But you will get two different session id's.
>>> You'll also get two session id's if the user uses two different
>>> browsers (i.e. IE and Firefox) from the same computer.
>>
>> Thanks. Guess I have to read the source codes of PHP to find it out
>> then ... :)
>>
>
> It has nothing to do with the source code for PHP. It's how browsers work.
>
> The browser keeps track of the session id, generally in a cookie (if
> cookies aren't supported PHP uses the GET parameters). Two different
> computers cannot share the same cookie - and therefore the same session id.
>
> It has nothing to do with ip addresses at all (which are not unique and
> may change at any time).


To elaborate:
When you 'start' a session, and the browser hasn't given the server a
session-id, a new session will be created, of which the server knows
it's not currently in use. Different browsers on a computer cannot check
each others session-id's (well, they could, but that's not implemented
and probably never will be simply because it's not usefull). So they get
different ones. This also means a browser which doensn't accept and/or
get a session-id will make the server start a new session on every request.

Simplest way to view it: a _program_ (normally browser) is communicating
with the server, not your computer, or your router, or your modem.
Allthough some ill-advised people often want to make it appear
(/implement) as such.
--
Rik Wasmus

Estimated date being able to walk again: 01-05-2007.
Less then a week, hurray!

On Apr 26, 4:23 am, Man-wai Chang <toylet.toy...@gmail.com> wrote:
> If two PCs from the same router connects to my web server, will unique
> session IDs be generated for each connection?
>
> In fact, is there an article talking about how PHP generates session
> cookies?
>
> --
> iTech Consulting Services Limited
> Expert of ePOS solutions
> Website:http://www.itech.com.hk(IE only)
> Tel: (852)2325 3883 Fax: (852)2325 8288

answering a similar point - that of /can/ you use the same session
identifier on two browsers, the answer is yes for the most part. so if
your router is admin'd by someone you dont trust, it is more than
possible for the session id to be reused (replayed) so that your
session is active on two different machines. This is partly the reason
why the sessions space is so large, the sparseness of the space makes
session id prediction unlikely, the randomness adds to this
unlikeliness. But none of this prevents your session ID from being
reused, so if you have a hub somewhere on your network, you are
allowing other users to sniff your session ids, which are often used
as "authenticators" so allowing session hijacking.
all these concerns come into play and so you shouldn't really feel too
secure if you dont admin the router, or if your router is not patched
with the latest firmware, and is the reason why routers while often
ignored, are a vital consideration when considering security. toodle
pip. m

The INI setting session.use_cookies can be used to disable the use of
cookies for storing the session id remotely, and then I guess PHP will
just rely on the IP address and (probably) User-Agent header. In this
case, it may use the same session id for two computers under the same
router.

On Apr 26, 11:54 pm, Mike P2 <sumguyovrt...@gmail.com> wrote:
> The INI setting session.use_cookies can be used to disable the use of
> cookies for storing the session id remotely, and then I guess PHP will
> just rely on the IP address and (probably) User-Agent header. In this
> case, it may use the same session id for two computers under the same
> router.

in this case the application is responsible for maintaining state,
which means that if the appliaction does not send the sess id in the
url/hidden input/cookie and receive it and maintain it server side in
a file/database then a session wont be started/maintained.

> The INI setting session.use_cookies can be used to disable the use of
> cookies for storing the session id remotely, and then I guess PHP will
> just rely on the IP address and (probably) User-Agent header. In this
> case, it may use the same session id for two computers under the same
> router.

It won't. Instead, PHP will rewrite your HTML output to inject the
session parameter in your forms, URLs, etc. So when you switch off
cookie-based session ID communication, PHP will try to use GET or POST.

Best regards,
--
Willem Bogaerts

Application smith
Kratz B.V.
http://www.kratz.nl/