Protect from people bruteforcing the PHPSESSID

The PHPSESSID is stored in the clients cookie so I don't consider it as secure. Someone might bruteforce it and perform some action (like a Facebook status post) whenever a session was successfully hijacked.

I was wondering how I can protect against attacks like that. Maybe by locking out suspect users? My solution I came up with is a bit different:

What do you think about it? Can I consider this as secure or are any other steps required? Will it protect me successfully from the described attacks?

To prevent brute forcing of the PHP Session ID you should use configuration rather than rolling your own security.

From OWASP Session Management Cheat Sheet - Session ID Length:

The session ID must be long enough to prevent brute force attacks, where an attacker can go through the whole range of ID values and verify the existence of valid sessions.

The session ID length must be at least 128 bits (16 bytes).

This should be secure enough to prevent brute forcing:

...it will take an attacker at least 292 years to successfully guess a valid session ID

Check your entropy settings within php.ini and that session.entropy_length is set to 16.

Regarding the code itself:

// Generate a random lowercase alphanumeric string
$sessionKey = substr(str_shuffle(str_repeat('0123456789abcdefghijklmnopqrstuvwxyz', 5)), 0, 32);

str_shuffle does not produce cryptographically secure randomness, so it unsuitable for producing anything security related such as tokens. You should write your own function based on openssl_random_pseudo_bytes or any other cryptographically secure source.

StackExchange Code Review Q#75310, answer score: 4