From: Vertebrac on
Hi all!!

I have a server running:

Debian Lenny
Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1
PHP/5.2.6-1+lenny9 with Suhosin-Patch

Clients connect to the system using firefox browser (all of them), and
some of them have cloned machines (win 7 - Norton Ghost). I mention
this in case that the session id generation process uses some kind of
seed coming from the computer itself, i have looked into the C code of
php and i couldn't find any clue that confirms this thought, but just
in case.

We use an intranet system over a medium lan (about 200 hosts)
The problem that we are experiencing right now, is that, randomly,
session id's are duplicated between 2 hosts.
We tried to increase the entropy by adding /var/urandom to the
session.entropy_file, upgraded our apache and php to this actual
version, and the problem just keeps existing.
We set up a workaround to just kick off the user if the session they
try to use is already in use by another computer, but the users tend
to lose everything that they've been working on (because of that

Anyone of you have experienced a problem similar to this one?