I'm making a table in a MySQL database to save some session data, including session_id
. What should be the length of the VARCHAR
to store the session_id
string?
Depends on session.hash_function and session.hash_bits_per_character.
Check out the session_id page for more info.
The higher you set session.hash_bits_per_character the shorter your session_id will become by using more bits per character. The possible values are 4, 5, or 6.
When using sha-1 for hashing (by setting ini_set('session.hash_function', 1) the following session string lengths are produced by the three session.hash_bits_per_character settings:
4 - 40 character string
5 - 32 character string
6 - 27 character string
@sachleen answer isn't full.
More detailed info about session id length is described here.
Summary:
128-bit digest (MD5)
4 bits/char: 32 char SID
5 bits/char: 26 char SID
6 bits/char: 22 char SID
160-bit digest (SHA-1)
4 bits/char: 40 char SID
5 bits/char: 32 char SID
6 bits/char: 27 char SID
And sample regex to check session id:
preg_match('/^[a-zA-Z0-9,-]{22,40}$/', $sessionId)
It depends on these configuration settings: session.hash_function and session.hash_bits_per_character
Shorter session ID lengths have the higher chance of collision, but this also depends a lot on the ID generation algorithm. Given the default settings, the length of the session ID should be appropriate for most applications. For higher-security implementations, you may consider looking into how PHP generates its session IDs and check whether it's cryptographically secure. If it isn't, then you should roll your own algorithm with a cryptographically secure source of randomness.
I don't know where my application will be used for then I set it up as: VARCHAR(127) and hope it will be great for unKnown MySQL users.
By the regular php installation length is always 26 (exmp: psprdaccghmmre1oo2eg0tnpe6)