Is a PHP session secure?

Now I don't care about data transmission - no man-in-the-middle, that's work of http and https.

As far as I know PHP identifies sessions with the http cookie. But what happe开发者_开发问答ns if anyone tries bruteforce guessing session ids?

Its safe to assume that nothing is secure..

• http://en.wikipedia.org/wiki/Session_hijacking
• https://www.owasp.org/index.php/Session_hijacking_attack
• http://www.serversidemagazine.com/php/session-hijacking/

Andreas Bogk made some very reasonable recommendations about a year ago to address a cryptographic weakness in the session key generation logic in PHP versions 5.3.2 and earlier that made PHP sessions more vulnerable to "session hijacking" (which seems to be your primary concern) than they ought to have been.

And Przemek Sobstel wrote a generic catalogue of attack types (including session hijacking) targeting the PHP session mechanism over 4 years ago, along with suggestions for mitigating them. The latest PHP version has changed several times since then, as has the "threat landscape". But the attack types have not changed much since then, and neither have the recommended best practices.

If you want to quantify your risk exposure, then you're going to have to define your scenario (implementation, environment, etc.) more precisely.

But what happens if anyone tries bruteforce of guessing session ids?

they would be aging...