"Security expert Andreas Bogk warns that, despite recent PHP
improvements, the session IDs of users who are logged into PHP
applications remain guessable. Upon close examination, the alleged
improvements display frightening weaknesses.
"PHP assigns a session ID in order to allow individual page
calls to be allocated to a specific logged-in user. To prevent
attackers from using a forged session ID to take control of a
session, the ID is chosen supposedly at random. When computers
require random numbers, invariably a pseudo random number generator
such as the Linear Congruential Generator (LCG) will be used. Such
number generators use complex mathematical operations to generate a
stream of numbers which are random at least in so far as it is
impossible to predict future numbers based on the numbers already
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.