If a client loads the website, they will be randomly assigned a 32-byte session id. This id is unique. Now, let's say they log in to the website. If their username is unique, could it not be used as their session id?
No, because it is theoretically possible their username could be 32 bytes in length, and that the php session management routines could randomly generate an exact match. I think.
Review: In My Father's Country
4 years ago