Weak Session ID
Also Known As
predictable session ID
short session token
weak session token
TL;DR
Session identifiers generated with insufficient entropy can be guessed or brute-forced, allowing session hijacking.
Explanation
A weak session ID is one that is too short, uses a predictable algorithm (sequential numbers, MD5 of timestamp), or is derived from guessable input. Attackers can enumerate or predict valid session tokens to hijack authenticated sessions without needing credentials. PHP's default session ID generator is cryptographically secure when session.use_strict_mode is enabled and the session handler uses random_bytes() internally — avoid custom session ID generation unless you use random_bytes(32) or similar.
Common Misconception
✗ PHP's built-in session_start() always generates cryptographically secure session IDs. Older PHP versions used weak entropy sources. Always verify session.hash_function is set to a strong algorithm and session IDs are sufficiently long (at least 128 bits).
Why It Matters
A short or predictable session ID can be brute-forced or guessed, granting the attacker a valid authenticated session without any credentials.
Common Mistakes
- Using a custom session ID generation function instead of PHP's session_regenerate_id().
- Short session IDs (less than 128 bits of entropy) that are feasible to enumerate.
- Not regenerating the session ID after login — allows session fixation attacks.
- Including user-supplied values (like user ID) in the session ID, reducing its unpredictability.
Avoid When
- Never generate session IDs manually using rand(), mt_rand(), uniqid(), or md5(time()).
- Do not transmit session IDs in URLs — always use HttpOnly, Secure cookies.
When To Use
- Use PHP's built-in session_start() with session.use_strict_mode=1 — it generates cryptographically secure session IDs automatically.
- Regenerate the session ID after login with session_regenerate_id(true) to prevent fixation attacks.
Code Examples
✗ Vulnerable
// Predictable session IDs
\$sessionId = md5(\$userId . time()); // time-based, guessable
✓ Fixed
// PHP's session_start() with secure config generates cryptographically
// random session IDs by default (uses /dev/urandom)
ini_set('session.entropy_length', 32);
ini_set('session.hash_function', 'sha256');
ini_set('session.hash_bits_per_character', 6);
// Result: 43+ char session ID from CSPRNG
// For API tokens — random bytes
\$token = bin2hex(random_bytes(32)); // 64 char hex token
\$stored = hash('sha256', \$token); // store hash in DB, send raw to clientReferences
Tags
🤝 Adopt this term
£79/year · your link shown here
Added
15 Mar 2026
Edited
31 Mar 2026
Views
24
🤖 AI Guestbook educational data only
|
|
Last 30 days
Agents 1
No pings yesterday
Amazonbot 6
Perplexity 2
Unknown AI 2
Google 2
ChatGPT 2
Ahrefs 1
Also referenced
How they use it
crawler 14
crawler_json 1
Related categories
⚡
DEV INTEL
Tools & Severity
🟠 High
⚙ Fix effort: Low
⚡ Quick Fix
Use PHP's default session handler with session.hash_function=sha256 and session.entropy_length=32; never generate session IDs manually
📦 Applies To
PHP 5.0+
web
🔗 Prerequisites
🔍 Detection Hints
Custom session ID generation using rand() md5() or uniqid(); short session.sid_length in php.ini
Auto-detectable:
✓ Yes
semgrep
psalm
⚠ Related Problems
🤖 AI Agent
Confidence: High
False Positives: Low
✓ Auto-fixable
Fix: Low
Context: File
Tests: Update
CWE-330
CWE-6
CWE-338