PHP Session IDs Are Guessable
Bogk "warns that, despite recent PHP improvements, the session IDs of users who are logged into PHP applications remain guessable," The H reported.
The problem is that PHP developers are seeding their random generator with a call to the "gettimeofday" function.
Upon examination of the PHP source code, Bogk said, "What we immediately notice is the lack of non-predictable entropy sources in the initial seeding."
Bogk recommends that the PHP developers brush up on their cryptography knowledge and read Bruce Schneier.