Session_id can indeed be duplicated, but the probability is very low. If you have a website with a fair traffic, it may happens once in you web site life, and will just annoy one user for one session.

Session_id 确实可以复制，但是概率很低。如果您有一个流量公平的网站，它可能会在您的网站生活中发生一次，并且只会在一次会话中惹恼一个用户。

This is not worth to care about unless you expect to build a very high traffic website or a service for the bank industry.

除非您希望为银行业建立一个非常高流量的网站或服务，否则这不值得关心。

It's not very unique as shipped. In the default configuration it's the result of a hash of various things including the result of gettimeofday (which isn't terribly unique), but if you're worried, you should configure it to draw some entropy from /dev/urandom, like so

它在发货时并不是很独特。在默认配置中，它是各种事物的散列结果，包括 gettimeofday 的结果（这不是非常独特），但是如果您担心，您应该将其配置为从 /dev/urandom 中提取一些熵，就像这样

ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");

search for "php_session_create_id" in the codefor the actual algorithm they're using.

在他们使用的实际算法的代码中搜索“php_session_create_id” 。

Edited to add: There's a DFA random-number generator seeded by the pid, mixed with the time in usecs. It's not a firm uniqueness condition especially from a security perspective. Use the entropy config above.

编辑添加：有一个由 pid 播种的 DFA 随机数生成器，与 usecs 中的时间混合。这不是一个确定的唯一性条件，尤其是从安全角度来看。使用上面的熵配置。

Update:

更新：

As of PHP 5.4.0 session.entropy_file defaults to /dev/urandom or /dev/arandom if it is available. In PHP 5.3.0 this directive is left empty by default. PHP Manual

自 PHP 5.4.0 起 session.entropy_file 默认为 /dev/urandom 或 /dev/arandom 如果可用。在 PHP 5.3.0 中，该指令默认为空。PHP 手册

If you want to know how PHP generates a session ID by default check out the source code on Github. It is certainly not random and is based on a hash (default: md5) of these ingredients (see line 310 of code snippet):

如果您想知道 PHP 如何默认生成会话 ID，请查看Github上的源代码。它当然不是随机的，并且基于这些成分的散列（默认值：md5）（参见代码片段的第 310 行）：

1. IP addressof the client
2. Current time
3. PHP Linear Congruence Generator- a pseudo random number generator (PRNG)
4. OS-specific random source- if the OS has a random source available (e.g. /dev/urandom)

1. 客户端的IP地址
2. 当前时间
3. PHP Linear Congruence Generator- 一个伪随机数生成器 (PRNG)
4. 操作系统特定的随机源- 如果操作系统有可用的随机源（例如 /dev/urandom）

If the OS has a random source available then strength of the generated ID for the purpose of being a session ID is high (/dev/urandom and other OS random sources are (usually) cryptographically secure PRNGs). If however it does not then it is satisfactory.

如果操作系统有一个可用的随机源，那么为了成为会话 ID 的目的而生成的 ID 的强度很高（/dev/urandom 和其他操作系统随机源（通常）是加密安全的 PRNGs）。然而，如果它没有，那么它是令人满意的。

The goal with session identification generation is to:

会话标识生成的目标是：

1. minimise the probability of generating two session IDs with the same value
2. make it very challenging computationally to generate random keys and hit an in use one.

1. 最小化生成具有相同值的两个会话 ID 的概率
2. 使生成随机密钥并命中使用中的密钥在计算上变得非常具有挑战性。

This is achieved by PHP's approach to session generation.

这是通过 PHP 的会话生成方法实现的。

You cannot absolutely guarantee uniqueness, but the probabilities are so low of hitting the same hash twice that it is, generally speaking, not worth worrying about.

你不能绝对保证唯一性，但是两次命中相同哈希的概率很低，一般来说，不值得担心。

You can install an alternative hash generation function if you want to customise the way the ID is generated (it's a 128bit number generated via MD5 by default). See http://www.php.net/manual/en/session.configuration.php#ini.session.hash-function

如果您想自定义 ID 的生成方式（默认情况下，它是通过 MD5 生成的 128 位数字），您可以安装替代的哈希生成功能。见http://www.php.net/manual/en/session.configuration.php#ini.session.hash-function

For more information on PHP sessions, try this excellent article http://shiflett.org/articles/the-truth-about-sessionswhich also links to other articles about session fixation and hiHyman.

有关 PHP 会话的更多信息，请尝试这篇出色的文章http://shiflett.org/articles/the-truth-about-sessions，该文章还链接到其他有关会话固定和劫持的文章。

Size of session_id
Assume that seesion_id is uniformly distributed and has size=128 bits. Assume that every person on the planet logs in once a day with a persistent an new session for 1000 years.

session_id 的大小
假设seesion_id 分布均匀，大小为128 位。假设地球上的每个人每天登录一次，并持续 1000 年的新会话。

num_sesion_ids  = 1000*365.25 *7*10**9 < 2**36
collission_prob < 1 - (1-1/2**82)**(2**36)  ≈ 1 - e**-(1/2**46) 
                ≈ 1/2**46 

So the the probability of one or more collision is less than one in 70 thousand billions. Hence the a 128-bit-size of the session_id should be big enough. As mentioned in other comments, the session_manager might also check that new session_id does not already exist.

所以一次或多次碰撞的概率不到七万分之一。因此 session_id 的 128 位大小应该足够大。正如其他评论中提到的， session_manager 也可能会检查新的 session_id 不存在。

Randomness
Therefore the big question I think is whether the session_id:s are generated with good pseudo randomness. On that you can never be sure, but I would recommend using a well known, and frequently used standard solution for this purpose (as you probably already do).

随机性
因此，我认为最大的问题是 session_id:s 是否以良好的伪随机性生成。对此，您永远无法确定，但我建议为此目的使用众所周知且常用的标准解决方案（您可能已经这样做了）。

Even if collisions are avoided due to checking, randomness and size of session_id is important, so that hackers can not, somehow do qualified guessing and find active session_id:s with large probability.

即使由于检查避免了冲突，session_id 的随机性和大小也很重要，因此黑客无法以某种方式进行合格的猜测并以大概率找到活动的 session_id:s。

I have not found a confirmation on this but i believe php checks if a session id already exists before creating one with that id.

我还没有找到对此的确认，但我相信 php 在创建具有该 ID 的会话 ID 之前会检查该会话 ID 是否已经存在。

The session hiHymaning issue people are worried about is when someone finds out the session id of an active user. This can be prevented in many ways, for more info on that you can see this pageon php.net and this paper on session fixation

人们担心的会话劫持问题是当有人发现活动用户的会话 ID 时。这可以通过多种方式防止，有关更多信息，您可以在 php.net 上查看此页面和有关会话固定的这篇论文

No, session id is not a GUID, but two users should not get the same session id as they are stored on the server side.

不，会话 ID 不是 GUID，但两个用户不应获得相同的会话 ID，因为它们存储在服务器端。

<?php
session_start();
$_SESSION['username']="username";
?>

<!DOCTYPE html>
<html>
<head>
    <title>Update</title>
</head>
<body>

<table border="2">
    <tr>
        <th>Username</th>
        <th>Email</th>
        <th>Edit</th>
    </tr>
<?php
     $conn=mysqli_connect("localhost","root","","telephasic");
     $q2="select * from register where username = '".$_SESSION['username']."'";
     $run=mysqli_query($conn, $q2);
     while($row=mysqli_fetch_array($run))
     {
         $name=$row[1];
         $email=$row[2];
     ?>

    <tr>
        <td><?php echo $name; ?></td>
        <td><?php echo $email; ?></td>
        <td><a href="edit.php"> Edit </a></td>
    </tr>
 <?php } ?>
 </table> 
 </body>

if your username is different or unique you can use this code for session

如果您的用户名不同或唯一，您可以使用此代码进行会话