From: Vertebrac on 16 Sep 2010 10:46
I have a server running:
Apache/2.2.9 (Debian) DAV/2 SVN/1.5.1
PHP/5.2.6-1+lenny9 with Suhosin-Patch
Clients connect to the system using firefox browser (all of them), and
some of them have cloned machines (win 7 - Norton Ghost). I mention
this in case that the session id generation process uses some kind of
seed coming from the computer itself, i have looked into the C code of
php and i couldn't find any clue that confirms this thought, but just
We use an intranet system over a medium lan (about 200 hosts)
The problem that we are experiencing right now, is that, randomly,
session id's are duplicated between 2 hosts.
We tried to increase the entropy by adding /var/urandom to the
session.entropy_file, upgraded our apache and php to this actual
version, and the problem just keeps existing.
We set up a workaround to just kick off the user if the session they
try to use is already in use by another computer, but the users tend
to lose everything that they've been working on (because of that
Anyone of you have experienced a problem similar to this one?