For years, we’ve been told to keep the values of sensitive session cookies unpredictable and complex in order to prevent attacks such as session enumeration. And, it made sense. If the session ID is complex, long, and cryptographically secure, it's almost impossible for an attacker to guess it.
However, from time to time, it's a good idea to look at recommended and widely-followed security practices and ask yourself: "Is this actually the most secure way to do things?" and "Is it enough?" You'd be surprised how often the answer is no. In this blog post, we discuss the security of PHP's session cookies in a shared hosting environment and explain why a cryptographically secure, random session ID is not enough to prevent attacks.