I've inherited the vbulletin board from the last sys admin, for our site http://www.thesite.org.
We're getting reports of collisions on sessions. I've delved into the code and it seems that the sessionhash is created using an MD5 checksum on a timestamp.
$session['sessionhash']=md5(uniqid(microtime()));
The problem appears to be that the uniqid is not unique: http://www.php.net/manual/en/function.uniqid.php
Using MD5 is not going to solve the problem: MD5 creates a hash sum from the value of uniqid. If the uniqid is the same as the previous the MD5s will be identical.
I'm going to hack our version of the code, to append the pid.
Has anyone else encountered this issue? Is there a patch? Will there be a patch?
Might it also be worthwhile adding a unique constraint to the session table to ensure collisions don't occur?
We're getting reports of collisions on sessions. I've delved into the code and it seems that the sessionhash is created using an MD5 checksum on a timestamp.
$session['sessionhash']=md5(uniqid(microtime()));
The problem appears to be that the uniqid is not unique: http://www.php.net/manual/en/function.uniqid.php
Using MD5 is not going to solve the problem: MD5 creates a hash sum from the value of uniqid. If the uniqid is the same as the previous the MD5s will be identical.
I'm going to hack our version of the code, to append the pid.
Has anyone else encountered this issue? Is there a patch? Will there be a patch?
Might it also be worthwhile adding a unique constraint to the session table to ensure collisions don't occur?
Comment