Aaaargghhh Session mixing in PHP

I am webmaster of a free dating site for Dutch people. After passing the 30000 members, we started to experience problems with the session handling. People started to receive the same session ids. Ofcourse this is not very nice for a dating site 🙂
After searching a bit on Google, I found people with similar problems. They ‘fixed’ it by adding entropy file = /dev/urandom and entropy length = 64. Problem was, I already had this set for my site… So that didn’t work.
To fix it, I simply created the following code;

function _session_start() {
$ipad = $_SERVER[“REMOTE_ADDR”];
$ipad = str_replace(“.”, “c”, $ipad).”c”;
if (!session_id()) {
if (substr(session_id(), 0, strlen($ipad))!=$ipad) {
$ipad .= gen_rand(35);

were gen_rand generates 35 random letters and numbers. Replace all your session_start() with _session_start() and all will be fine.

On a datingsite this works fine; no big companies behind one IP address. You can use more eleborate schemes for creating this session id. For instance, adding a second random cookie on the client will actually make the chance of duplicate ids very very small.

Be the first to leave a comment. Don’t be shy.

Join the Discussion

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>