What is the length of a PHP session id string?
Depends on session.hash_function and session.hash_bits_per_character.
Check out the session_id page for more info.
The higher you set session.hash_bits_per_character the shorter yoursession_id will become by using more bits per character. The possiblevalues are 4, 5, or 6.
When using sha-1 for hashing (by settingini_set('session.hash_function', 1) the following session stringlengths are produced by the three session.hash_bits_per_charactersettings:
4 - 40 character string
5 - 32 character string
6 - 27 character string
@sachleen answer isn't full.
More detailed info about session id length is described here.
Summary:
128-bit digest (MD5) 4 bits/char: 32 char SID 5 bits/char: 26 char SID 6 bits/char: 22 char SID160-bit digest (SHA-1)4 bits/char: 40 char SID 5 bits/char: 32 char SID 6 bits/char: 27 char SID
And sample regex to check session id:
preg_match('/^[a-zA-Z0-9,-]{22,40}$/', $sessionId)
It depends on these configuration settings:session.hash_function and session.hash_bits_per_character
Shorter session ID lengths have the higher chance of collision, but this also depends a lot on the ID generation algorithm. Given the default settings, the length of the session ID should be appropriate for most applications. For higher-security implementations, you may consider looking into how PHP generates its session IDs and check whether it's cryptographically secure. If it isn't, then you should roll your own algorithm with a cryptographically secure source of randomness.