{
    "slug": "weak_session_id",
    "term": "Weak Session ID",
    "category": "security",
    "difficulty": "intermediate",
    "short": "Session identifiers generated with insufficient entropy can be guessed or brute-forced, allowing session hijacking.",
    "long": "A weak session ID is one that is too short, uses a predictable algorithm (sequential numbers, MD5 of timestamp), or is derived from guessable input. Attackers can enumerate or predict valid session tokens to hijack authenticated sessions without needing credentials. PHP's default session ID generator is cryptographically secure when session.use_strict_mode is enabled and the session handler uses random_bytes() internally — avoid custom session ID generation unless you use random_bytes(32) or similar.",
    "aliases": [
        "predictable session ID",
        "short session token",
        "weak session token"
    ],
    "tags": [
        "session",
        "authentication",
        "cryptography",
        "cwe-330"
    ],
    "misconception": "PHP's built-in session_start() always generates cryptographically secure session IDs. Older PHP versions used weak entropy sources. Always verify session.hash_function is set to a strong algorithm and session IDs are sufficiently long (at least 128 bits).",
    "why_it_matters": "A short or predictable session ID can be brute-forced or guessed, granting the attacker a valid authenticated session without any credentials.",
    "common_mistakes": [
        "Using a custom session ID generation function instead of PHP's session_regenerate_id().",
        "Short session IDs (less than 128 bits of entropy) that are feasible to enumerate.",
        "Not regenerating the session ID after login — allows session fixation attacks.",
        "Including user-supplied values (like user ID) in the session ID, reducing its unpredictability."
    ],
    "when_to_use": [
        "Use PHP's built-in session_start() with session.use_strict_mode=1 — it generates cryptographically secure session IDs automatically.",
        "Regenerate the session ID after login with session_regenerate_id(true) to prevent fixation attacks."
    ],
    "avoid_when": [
        "Never generate session IDs manually using rand(), mt_rand(), uniqid(), or md5(time()).",
        "Do not transmit session IDs in URLs — always use HttpOnly, Secure cookies."
    ],
    "related": [
        "session",
        "predictable_token",
        "session_fixation",
        "csprng"
    ],
    "prerequisites": [
        "session",
        "insecure_randomness",
        "session_fixation"
    ],
    "refs": [
        "https://owasp.org/www-community/attacks/Session_hijacking_attack",
        "https://www.php.net/manual/en/session.security.php"
    ],
    "bad_code": "// Predictable session IDs\n\\$sessionId = md5(\\$userId . time()); // time-based, guessable",
    "good_code": "// PHP's session_start() with secure config generates cryptographically\n// random session IDs by default (uses /dev/urandom)\nini_set('session.entropy_length', 32);\nini_set('session.hash_function', 'sha256');\nini_set('session.hash_bits_per_character', 6);\n// Result: 43+ char session ID from CSPRNG\n\n// For API tokens — random bytes\n\\$token = bin2hex(random_bytes(32)); // 64 char hex token\n\\$stored = hash('sha256', \\$token);   // store hash in DB, send raw to client",
    "quick_fix": "Use PHP's default session handler with session.hash_function=sha256 and session.entropy_length=32; never generate session IDs manually",
    "severity": "high",
    "effort": "low",
    "created": "2026-03-15",
    "updated": "2026-03-31",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/weak_session_id",
        "html_url": "https://codeclaritylab.com/glossary/weak_session_id",
        "json_url": "https://codeclaritylab.com/glossary/weak_session_id.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[Weak Session ID](https://codeclaritylab.com/glossary/weak_session_id) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/weak_session_id"
            }
        }
    }
}