Wednesday, July 1, 2009

Generating Custom Session ID in PHP 5

Another one of my favorite questions from Zend PHP 5 Certification Mock Exam. Correct answer in bold.
If you would like to change the session ID generation function, which of the following is the best approach for PHP 5?
  • Set the session.hash_function INI configuration directive
  • Use the session_set_id_generator() function
  • Set the session id by force using the session_id() function
  • Use the session_regenerate_id() function
  • Implement a custom session handler
Surprisingly, the most obvious answer, made sound like something not really reasonable, is the correct one. A few words of explanation.
And session_id() is the only one on the list allowing to set custom session id and definitely it is the correct answer.
Posted by at 8:56 PM
Labels: ,

27 comments:

  1. SnowcoreAugust 25, 2009 at 3:59 PM

    How can I do this? PHP doesn't allows to redeclare functions

    ReplyDelete
  2. AnonymousOctober 11, 2009 at 6:44 PM

    dude you are Wrong! the correct answer would be "Use the session_regenerate_id() function"

    ReplyDelete
  3. AnonymousOctober 11, 2009 at 6:45 PM

    http://blogs.sans.org/appsecstreetfighter/2009/06/29/session-attacks-and-php-part-2/

    http://us.php.net/manual/en/function.session-regenerate-id.php

    ReplyDelete
  4. UnknownOctober 16, 2009 at 4:04 PM

    Hi jpablobr, thanks for the comment. As I see it, the question is about changing session generation algorithm and not about session attacks. I would hold the ground.

    ReplyDelete
  5. UnknownOctober 16, 2009 at 4:06 PM

    snowcore, the trick is to generate the id using your own algorithm and then force-set it using session_id().

    ReplyDelete
  6. AnonymousApril 20, 2010 at 4:02 PM

    i guess the answer should be "Set the session.hash_function INI configuration directive"

    because the question is "If you would like to change the session ID generation function"
    means changing "session ID generation function" and not the session ID

    let me know your views

    ReplyDelete
  7. AnonymousApril 28, 2010 at 4:19 PM

    I believe samsami2u is correct. I had this same question in the PHP 5 mock exam. The question is asking how you 'change the session ID generation' which implys that you are required to change the built-in session ID generation, not provide your own session id.

    ReplyDelete
  8. UnknownMay 9, 2010 at 4:23 PM

    Hi guys, thanks for your comments.
    I agree that the question itself is not very clear so there is some space for interpretation. I might be wrong with mine, it happens only too often. However, the question starts with "if you would like to change the session ID generation function" and I believe the key phrase here is "ID generation function". PHP allows for changing ID generation ALGORITHM (the discussed above session.hash_function) but the only way to change the ID generation FUNCTION is to create a function which generates the ID and then calls session_id() to set it.

    I hope it makes more sense now.

    Jacek

    ReplyDelete
  9. Factory Direct Craft SupplyMay 28, 2010 at 1:12 AM

    I would agree with you, Jacek. The hash setting simply changes the algo the existing function uses... but then again it is labeled "session.hash_FUNCTION" which further confuses the issue, though the docs say changing the hash function value merely "allows you to specify the hash algorithm used to generate the session IDs". If the correct answer really is changing the session.hash_function, then it is only proof as to why i hate written tests for something like programming, which should test your skills at implementing a solution and the elegance of that solution, not confuse you with badly worded and vague questions.

    ReplyDelete
  10. Craig R MortonJuly 29, 2010 at 8:55 PM

    There's no doubt about it that the question is as clear as mud. I had to re-read it a few times to get it into my cranium.

    However, I think you are correct in your initial post Jacek.

    Cheers for the post again.

    Picco

    ReplyDelete
  11. SimApril 29, 2011 at 5:00 PM

    My recommendation is to override the session handling with session_set_save_handler, then in the 'read' function, which is the first function call after session_start() check the length of the session_id, it defaults to 26 characters so if you make your custom ones say 40 chars long then you'll know if its a new session thats not been overridden yet by checking the length.

    You can then generate a random string for the session and pass it into session_id($new_id) like so before continuing your processing.

    Sim

    ReplyDelete
  12. VortexGazer109September 29, 2023 at 2:53 PM

    Erzurum
    Elazığ
    Konya
    Zonguldak
    Eskişehir
    S4H

    ReplyDelete
  13. SilverVortexSeptember 29, 2023 at 7:01 PM

    Kocaeli
    Denizli
    Bursa
    istanbul
    Van
    AVYWSE

    ReplyDelete
  14. AzerrrOctober 1, 2023 at 4:51 AM

    Erzurum
    istanbul
    Ağrı
    Malatya
    Trabzon
    Q2ECKK

    ReplyDelete
  15. InfinityBender42October 4, 2023 at 3:46 AM

    ankara
    sakarya
    tekirdağ
    kastamonu
    amasya
    JZJ1

    ReplyDelete
  16. ByteBender42October 8, 2023 at 8:22 AM

    goruntulu show
    ücretli
    D5V8O

    ReplyDelete
  17. MertOctober 8, 2023 at 12:06 PM

    whatsapp görüntülü show
    ücretli.show
    İY6

    ReplyDelete
  18. ZaraOctober 21, 2023 at 8:04 AM

    Ağrı Lojistik
    Çorlu Lojistik
    Kars Lojistik
    Antalya Lojistik
    Rize Lojistik
    LF1W4W

    ReplyDelete
  19. CosmicNomadXYOLG129October 22, 2023 at 3:52 AM

    Maraş Lojistik
    Hatay Lojistik
    Tokat Lojistik
    Elazığ Lojistik
    Aksaray Lojistik
    QM72

    ReplyDelete
  20. DF5A8Anthony6C74CNovember 6, 2023 at 10:21 AM

    99E01
    Niğde Parça Eşya Taşıma
    Karabük Lojistik
    Tekirdağ Evden Eve Nakliyat
    Ardahan Evden Eve Nakliyat
    Artvin Evden Eve Nakliyat

    ReplyDelete
  21. B8F65TimothyBFC7BNovember 8, 2023 at 3:46 PM

    58826
    Paribu Güvenilir mi
    Karabük Evden Eve Nakliyat
    Kırklareli Evden Eve Nakliyat
    Kalıcı Makyaj
    Urfa Evden Eve Nakliyat

    ReplyDelete
  22. 17FDACraig0ABE1November 8, 2023 at 10:21 PM

    1E1DC
    Yenimahalle Fayans Ustası
    Ünye Boya Ustası
    Elazığ Lojistik
    Eskişehir Şehirler Arası Nakliyat
    Tunceli Evden Eve Nakliyat
    Kütahya Şehir İçi Nakliyat
    Coin Nedir
    Edirne Lojistik
    Tekirdağ Fayans Ustası

    ReplyDelete
  23. 724F7Wallace126B6November 9, 2023 at 9:21 AM

    63A19
    Osmaniye Evden Eve Nakliyat
    Ordu Lojistik
    Mersin Şehirler Arası Nakliyat
    Ünye Organizasyon
    Ardahan Şehir İçi Nakliyat
    Düzce Şehir İçi Nakliyat
    Batman Lojistik
    Aydın Parça Eşya Taşıma
    Mamak Boya Ustası

    ReplyDelete
  24. 23676Chester902FBNovember 12, 2023 at 11:50 AM

    B5667
    buy steroid cycles
    Eskişehir Evden Eve Nakliyat
    dianabol methandienone
    Aydın Evden Eve Nakliyat
    buy sarms
    order anapolon oxymetholone
    order halotestin
    buy pharmacy steroids
    Nevşehir Evden Eve Nakliyat

    ReplyDelete
  25. 6C249Konnor690CBNovember 13, 2023 at 6:02 AM

    D1D4D
    Muğla Şehirler Arası Nakliyat
    Uşak Lojistik
    Samsun Lojistik
    Tokat Şehir İçi Nakliyat
    Silivri Çatı Ustası
    Şırnak Lojistik
    Çerkezköy Buzdolabı Tamircisi
    Kütahya Şehir İçi Nakliyat
    Bursa Şehirler Arası Nakliyat

    ReplyDelete
  26. E20F9Noel9DB1FJanuary 6, 2024 at 6:26 AM

    C7296
    Soundcloud Dinlenme Hilesi
    Gate io Borsası Güvenilir mi
    Dxgm Coin Hangi Borsada
    Görüntülü Sohbet Parasız
    Bitcoin Madenciliği Nedir
    Kripto Para Nasıl Üretilir
    Parasız Görüntülü Sohbet
    Mexc Borsası Güvenilir mi
    Dlive Takipçi Hilesi

    ReplyDelete
  27. 991EEKira1A6E7January 19, 2024 at 2:43 PM

    17AAB
    Binance Hesap Açma
    Periscope Takipçi Satın Al
    Btcst Coin Hangi Borsada
    Trovo Takipçi Hilesi
    Okex Borsası Güvenilir mi
    Nonolive Takipçi Satın Al
    Binance Referans Kodu
    Binance Hesap Açma
    Görüntülü Sohbet Parasız

    ReplyDelete

Subscribe to: Post Comments (Atom)