What is the length of a PHP session id string?

Question

I\'m making a table in a MySQL database to save some session data, including session_id. What should be the length of the VARCHAR to store the

Answer 1

By the regular php installation length is always 26 (exmp: psprdaccghmmre1oo2eg0tnpe6)

Answer 2

I don't know where my application will be used for then I set it up as: VARCHAR(127) and hope it will be great for unKnown MySQL users.

Answer 3

It depends on these configuration settings: session.hash_function and session.hash_bits_per_character

Shorter session ID lengths have the higher chance of collision, but this also depends a lot on the ID generation algorithm. Given the default settings, the length of the session ID should be appropriate for most applications. For higher-security implementations, you may consider looking into how PHP generates its session IDs and check whether it's cryptographically secure. If it isn't, then you should roll your own algorithm with a cryptographically secure source of randomness.

Answer 4

Depends on session.hash_function and session.hash_bits_per_character.

Check out the session_id page for more info.

The higher you set session.hash_bits_per_character the shorter your session_id will become by using more bits per character. The possible values are 4, 5, or 6.

When using sha-1 for hashing (by setting ini_set('session.hash_function', 1) the following session string lengths are produced by the three session.hash_bits_per_character settings:

4 - 40 character string

5 - 32 character string

6 - 27 character string

Answer 5

@sachleen answer isn't full.
More detailed info about session id length is described here.

Summary:

128-bit digest (MD5)  
4 bits/char: 32 char SID    
5 bits/char: 26 char SID    
6 bits/char: 22 char SID

160-bit digest (SHA-1)
4 bits/char: 40 char SID    
5 bits/char: 32 char SID    
6 bits/char: 27 char SID

And sample regex to check session id:

preg_match('/^[a-zA-Z0-9,-]{22,40}$/', $sessionId)