diff options
| author | Yasuo Ohgaki <yohgaki@php.net> | 2016-08-12 12:28:25 +0900 | 
|---|---|---|
| committer | Yasuo Ohgaki <yohgaki@php.net> | 2016-08-12 12:31:02 +0900 | 
| commit | 3467526a65bfb15eaf9ec49a0b5673b84e26bca4 (patch) | |
| tree | 8c689d3b2d69dc45f1b5331ef5e23b26009cb3f2 | |
| parent | 1dab96c1db2d7c5663569d9c55f63d8e25a0dddc (diff) | |
| download | php-git-3467526a65bfb15eaf9ec49a0b5673b84e26bca4.tar.gz | |
Merge RFC: Session ID without hashing
https://wiki.php.net/rfc/session-id-without-hashing
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | UPGRADING | 31 | ||||
| -rw-r--r-- | ext/session/php_session.h | 9 | ||||
| -rw-r--r-- | ext/session/session.c | 226 | ||||
| -rw-r--r-- | ext/session/tests/bug68063.phpt | 4 | ||||
| -rw-r--r-- | ext/session/tests/bug71186.phpt | 32 | ||||
| -rw-r--r-- | ext/session/tests/rfc1867_sid_invalid.phpt | 1 | ||||
| -rw-r--r-- | ext/session/tests/session_hash_function_basic.phpt | 52 | ||||
| -rw-r--r-- | ext/session/tests/session_id_basic2.phpt | 38 | ||||
| -rw-r--r-- | ext/session/tests/session_id_error4.phpt | 37 | ||||
| -rw-r--r-- | ext/session/tests/session_id_variation1.phpt | 48 | ||||
| -rw-r--r-- | ext/session/tests/session_id_variation2.phpt | 61 | ||||
| -rw-r--r-- | ext/session/tests/session_set_save_handler_variation6.phpt | 1 | ||||
| -rw-r--r-- | php.ini-development | 36 | ||||
| -rw-r--r-- | php.ini-production | 36 | 
15 files changed, 135 insertions, 481 deletions
| @@ -34,6 +34,10 @@ PHP                                                                        NEWS    . Add ReflectionNamedType::getName() and return leading "?" for nullable types      from ReflectionType::__toString(). (Trowski) +- Session: +  . Implemented RFC: Session ID without hashing. (Yasuo) +    https://wiki.php.net/rfc/session-id-without-hashing +  - SQLite3:    . Updated to SQLite3 3.14.0. (cmb) @@ -89,6 +89,34 @@ PHP 7.1 UPGRADE NOTES  - OpenSSL:    . Dropped sslv2 stream. +- Session: +  . Session ID is generated from CSPNG directly. As a result, Session ID length +    could be any length between 22 and 256. Note: Max size of session ID depends +    on save handler you are using. +  . Following INIs are removed +     . session.hash_function +     . session.hash_bits_per_charactor +     . session.entropy_file +     . session.entropy_length +  . New INIs and defaults +     . session.sid_length (Number of session ID characters - 22 to 256. +       (php.ini-* default: 26 Compitled default: 32) +     . session.sid_bits_per_character (Bits used per character. 4 to 6. +       php.ini-* default: 5 Compiled default: 4) +    Length of old session ID string is determined as follows +     . Used hash function's bits. +        . session.hash_function=0 - MD5 128 bits (This was default) +        . session.hash_function=1 - SHA1 192 bits +     . Bits per character. (4, 5 or 6 bits per character) +     . Examples +         MD5 and 4 bits = 32 chars,  ceil(128/4)=32 +         MD5 and 5 bits = 26 chars,  ceil(128/5)=26 +         MD5 and 6 bits = 22 chars,  ceil(128/6)=22 +         SHA1 and 4 bits = 48 chars, ceil(192/4)=48 +         SHA2 and 5 bits = 39 chars, ceil(192/5)=39 +         SHA1 and 6 bits = 32 chars, ceil(192/6)=32 +         and so on. +  - Reflection:    . The behavior of ReflectionMethod::invoke() and ::invokeArgs() has been      aligned, what causes slightly different behavior than before for some @@ -280,8 +308,7 @@ PHP 7.1 UPGRADE NOTES    . Custom session handlers that do not return strings for session IDs will       now throw an instance of Error instead of resulting in a fatal error      when a function is called that must generate a session ID. -  . An invalid setting for session.hash_function will throw an instance of -    Error instead of resulting in a fatal error when a session ID is created. +  . Only CSPRNG is used to generate session ID.  - SimpleXML:    . Creating an unnamed or duplicate attribute will throw an instance of Error diff --git a/ext/session/php_session.h b/ext/session/php_session.h index 37e66a00b3..b693fd4b87 100644 --- a/ext/session/php_session.h +++ b/ext/session/php_session.h @@ -151,9 +151,7 @@ typedef struct _php_ps_globals {  	char *session_name;  	zend_string *id;  	char *extern_referer_chk; -	char *entropy_file;  	char *cache_limiter; -	zend_long entropy_length;  	zend_long cookie_lifetime;  	char *cookie_path;  	char *cookie_domain; @@ -191,11 +189,8 @@ typedef struct _php_ps_globals {  	zend_bool use_only_cookies;  	zend_bool use_trans_sid; /* contains the INI value of whether to use trans-sid */ -	zend_long hash_func; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) -	php_hash_ops *hash_ops; -#endif -	zend_long hash_bits_per_character; +	zend_long sid_length; +	zend_long sid_bits_per_character;  	int send_cookie;  	int define_sid; diff --git a/ext/session/session.c b/ext/session/session.c index 9c143e2fcf..1247a99804 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -40,13 +40,11 @@  #include "rfc1867.h"  #include "php_variables.h"  #include "php_session.h" -#include "ext/standard/md5.h" -#include "ext/standard/sha1.h" +#include "ext/standard/php_random.h"  #include "ext/standard/php_var.h"  #include "ext/date/php_date.h"  #include "ext/standard/php_lcg.h"  #include "ext/standard/url_scanner_ex.h" -#include "ext/standard/php_rand.h" /* for RAND_MAX */  #include "ext/standard/info.h"  #include "zend_smart_str.h"  #include "ext/standard/url.h" @@ -81,6 +79,8 @@ zend_class_entry *php_session_update_timestamp_class_entry;  /* SessionUpdateTimestampInterface */  zend_class_entry *php_session_update_timestamp_iface_entry; +#define PS_MAX_SID_LENGTH 256 +  /* ***********     * Helpers *     *********** */ @@ -259,17 +259,12 @@ static int php_session_decode(zend_string *data) /* {{{ */  static char hexconvtab[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-"; -enum { -	PS_HASH_FUNC_MD5, -	PS_HASH_FUNC_SHA1, -	PS_HASH_FUNC_OTHER -}; -  /* returns a pointer to the byte after the last valid character in out */ -static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* {{{ */ +static size_t bin_to_readable(unsigned char *in, size_t inlen, char *out, char nbits) /* {{{ */  {  	unsigned char *p, *q;  	unsigned short w; +	size_t len = inlen;  	int mask;  	int have; @@ -280,7 +275,7 @@ static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* {  	have = 0;  	mask = (1 << nbits) - 1; -	while (1) { +	while (inlen--) {  		if (have < nbits) {  			if (p < q) {  				w |= *p++ << have; @@ -300,151 +295,24 @@ static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* {  	}  	*out = '\0'; -	return out; +	return len;  }  /* }}} */ +#define PS_EXTRA_RAND_BYTES 60 +  PHPAPI zend_string *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */  { -	PHP_MD5_CTX md5_context; -	PHP_SHA1_CTX sha1_context; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) -	void *hash_context = NULL; -#endif -	unsigned char *digest; -	size_t digest_len; -	char *buf; -	struct timeval tv; -	zval *array; -	zval *token; +	unsigned char rbuf[PS_MAX_SID_LENGTH + PS_EXTRA_RAND_BYTES];  	zend_string *outid; -	char *remote_addr = NULL; - -	gettimeofday(&tv, NULL); - -	if ((array = zend_hash_str_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER") - 1)) && -		Z_TYPE_P(array) == IS_ARRAY && -		(token = zend_hash_str_find(Z_ARRVAL_P(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR") - 1)) && -		Z_TYPE_P(token) == IS_STRING -	) { -		remote_addr = Z_STRVAL_P(token); -	} - -	/* maximum 15+19+19+10 bytes */ -	spprintf(&buf, 0, "%.15s%ld" ZEND_LONG_FMT "%0.8F", remote_addr ? remote_addr : "", tv.tv_sec, (zend_long)tv.tv_usec, php_combined_lcg() * 10); - -	switch (PS(hash_func)) { -		case PS_HASH_FUNC_MD5: -			PHP_MD5Init(&md5_context); -			PHP_MD5Update(&md5_context, (unsigned char *) buf, strlen(buf)); -			digest_len = 16; -			break; -		case PS_HASH_FUNC_SHA1: -			PHP_SHA1Init(&sha1_context); -			PHP_SHA1Update(&sha1_context, (unsigned char *) buf, strlen(buf)); -			digest_len = 20; -			break; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) -		case PS_HASH_FUNC_OTHER: -			if (!PS(hash_ops)) { -				efree(buf); -				zend_throw_error(NULL, "Invalid session hash function"); -				return NULL; -			} - -			hash_context = emalloc(PS(hash_ops)->context_size); -			PS(hash_ops)->hash_init(hash_context); -			PS(hash_ops)->hash_update(hash_context, (unsigned char *) buf, strlen(buf)); -			digest_len = PS(hash_ops)->digest_size; -			break; -#endif /* HAVE_HASH_EXT */ -		default: -			efree(buf); -			zend_throw_error(NULL, "Invalid session hash function"); -			return NULL; -	} -	efree(buf); - -	if (PS(entropy_length) > 0) { -#ifdef PHP_WIN32 -		unsigned char rbuf[2048]; -		size_t toread = PS(entropy_length); - -		if (php_win32_get_random_bytes(rbuf, MIN(toread, sizeof(rbuf))) == SUCCESS){ - -			switch (PS(hash_func)) { -				case PS_HASH_FUNC_MD5: -					PHP_MD5Update(&md5_context, rbuf, toread); -					break; -				case PS_HASH_FUNC_SHA1: -					PHP_SHA1Update(&sha1_context, rbuf, toread); -					break; -# if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) -				case PS_HASH_FUNC_OTHER: -					PS(hash_ops)->hash_update(hash_context, rbuf, toread); -					break; -# endif /* HAVE_HASH_EXT */ -			} -		} -#else -		int fd; - -		fd = VCWD_OPEN(PS(entropy_file), O_RDONLY); -		if (fd >= 0) { -			unsigned char rbuf[2048]; -			int n; -			int to_read = PS(entropy_length); - -			while (to_read > 0) { -				n = read(fd, rbuf, MIN(to_read, sizeof(rbuf))); -				if (n <= 0) break; - -				switch (PS(hash_func)) { -					case PS_HASH_FUNC_MD5: -						PHP_MD5Update(&md5_context, rbuf, n); -						break; -					case PS_HASH_FUNC_SHA1: -						PHP_SHA1Update(&sha1_context, rbuf, n); -						break; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) -					case PS_HASH_FUNC_OTHER: -						PS(hash_ops)->hash_update(hash_context, rbuf, n); -						break; -#endif /* HAVE_HASH_EXT */ -				} -				to_read -= n; -			} -			close(fd); -		} -#endif -	} -	digest = emalloc(digest_len + 1); -	switch (PS(hash_func)) { -		case PS_HASH_FUNC_MD5: -			PHP_MD5Final(digest, &md5_context); -			break; -		case PS_HASH_FUNC_SHA1: -			PHP_SHA1Final(digest, &sha1_context); -			break; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) -		case PS_HASH_FUNC_OTHER: -			PS(hash_ops)->hash_final(digest, hash_context); -			efree(hash_context); -			break; -#endif /* HAVE_HASH_EXT */ +	/* Read additional PS_EXTRA_RAND_BYTES just in case CSPRNG is not safe enough */ +	if (php_random_bytes_throw(rbuf, PS(sid_length) + PS_EXTRA_RAND_BYTES) == FAILURE) { +		return NULL;  	} -	if (PS(hash_bits_per_character) < 4 -			|| PS(hash_bits_per_character) > 6) { -		PS(hash_bits_per_character) = 4; - -		php_error_docref(NULL, E_WARNING, "The ini setting hash_bits_per_character is out of range (should be 4, 5, or 6) - using 4 for now"); -	} - -	outid = zend_string_alloc((digest_len + 2) * ((8.0f / PS(hash_bits_per_character) + 0.5)), 0); -	ZSTR_LEN(outid) = (size_t)(bin_to_readable((char *)digest, digest_len, ZSTR_VAL(outid), (char)PS(hash_bits_per_character)) - (char *)&ZSTR_VAL(outid)); -	efree(digest); +	outid = zend_string_alloc(PS(sid_length), 0); +	ZSTR_LEN(outid) = bin_to_readable(rbuf, PS(sid_length), ZSTR_VAL(outid), (char)PS(sid_bits_per_character));  	return outid;  } @@ -476,7 +344,7 @@ PHPAPI int php_session_valid_key(const char *key) /* {{{ */  	/* Somewhat arbitrary length limit here, but should be way more than  	   anyone needs and avoids file-level warnings later on if we exceed MAX_PATH */ -	if (len == 0 || len > 128) { +	if (len == 0 || len > PS_MAX_SID_LENGTH) {  		ret = FAILURE;  	} @@ -773,55 +641,43 @@ static PHP_INI_MH(OnUpdateName) /* {{{ */  }  /* }}} */ -static PHP_INI_MH(OnUpdateHashFunc) /* {{{ */ +static PHP_INI_MH(OnUpdateSidLength) /* {{{ */  {  	zend_long val;  	char *endptr = NULL; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) -	PS(hash_ops) = NULL; -#endif -  	val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10); -	if (endptr && (*endptr == '\0')) { +	if (endptr && (*endptr == '\0') +		&& val >= 22 && val <= PS_MAX_SID_LENGTH) {  		/* Numeric value */ -		PS(hash_func) = val ? 1 : 0; - +		PS(sid_length) = val;  		return SUCCESS;  	} -	if (ZSTR_LEN(new_value) == (sizeof("md5") - 1) && -		strncasecmp(ZSTR_VAL(new_value), "md5", sizeof("md5") - 1) == 0) { -		PS(hash_func) = PS_HASH_FUNC_MD5; - -		return SUCCESS; -	} - -	if (ZSTR_LEN(new_value) == (sizeof("sha1") - 1) && -		strncasecmp(ZSTR_VAL(new_value), "sha1", sizeof("sha1") - 1) == 0) { -		PS(hash_func) = PS_HASH_FUNC_SHA1; - -		return SUCCESS; -	} +	php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_length' must be between 22 and 256."); +	return FAILURE; +} +/* }}} */ -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) /* {{{ */ +static PHP_INI_MH(OnUpdateSidBits) /* {{{ */  { -	php_hash_ops *ops = (php_hash_ops*)php_hash_fetch_ops(ZSTR_VAL(new_value), ZSTR_LEN(new_value)); - -	if (ops) { -		PS(hash_func) = PS_HASH_FUNC_OTHER; -		PS(hash_ops) = ops; +	zend_long val; +	char *endptr = NULL; +	val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10); +	if (endptr && (*endptr == '\0') +		&& val >= 4 && val <=6) { +		/* Numeric value */ +		PS(sid_bits_per_character) = val;  		return SUCCESS;  	} -} -#endif /* HAVE_HASH_EXT }}} */ -	php_error_docref(NULL, E_WARNING, "session.configuration 'session.hash_function' must be existing hash function. %s does not exist.", ZSTR_VAL(new_value)); +	php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_bits' must be between 4 and 6.");  	return FAILURE;  }  /* }}} */ +  static PHP_INI_MH(OnUpdateRfc1867Freq) /* {{{ */  {  	int tmp; @@ -862,21 +718,11 @@ PHP_INI_BEGIN()  	STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1",         PHP_INI_ALL, OnUpdateBool,   use_only_cookies,   php_ps_globals,    ps_globals)  	STD_PHP_INI_BOOLEAN("session.use_strict_mode",  "0",         PHP_INI_ALL, OnUpdateBool,   use_strict_mode,    php_ps_globals,    ps_globals)  	STD_PHP_INI_ENTRY("session.referer_check",      "",          PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals,    ps_globals) -#if HAVE_DEV_URANDOM -	STD_PHP_INI_ENTRY("session.entropy_file",       "/dev/urandom",          PHP_INI_ALL, OnUpdateString, entropy_file,       php_ps_globals,    ps_globals) -	STD_PHP_INI_ENTRY("session.entropy_length",     "32",         PHP_INI_ALL, OnUpdateLong,   entropy_length,     php_ps_globals,    ps_globals) -#elif HAVE_DEV_ARANDOM -	STD_PHP_INI_ENTRY("session.entropy_file",       "/dev/arandom",          PHP_INI_ALL, OnUpdateString, entropy_file,       php_ps_globals,    ps_globals) -	STD_PHP_INI_ENTRY("session.entropy_length",     "32",         PHP_INI_ALL, OnUpdateLong,   entropy_length,     php_ps_globals,    ps_globals) -#else -	STD_PHP_INI_ENTRY("session.entropy_file",       "",          PHP_INI_ALL, OnUpdateString, entropy_file,       php_ps_globals,    ps_globals) -	STD_PHP_INI_ENTRY("session.entropy_length",     "0",         PHP_INI_ALL, OnUpdateLong,   entropy_length,     php_ps_globals,    ps_globals) -#endif  	STD_PHP_INI_ENTRY("session.cache_limiter",      "nocache",   PHP_INI_ALL, OnUpdateString, cache_limiter,      php_ps_globals,    ps_globals)  	STD_PHP_INI_ENTRY("session.cache_expire",       "180",       PHP_INI_ALL, OnUpdateLong,   cache_expire,       php_ps_globals,    ps_globals)  	PHP_INI_ENTRY("session.use_trans_sid",          "0",         PHP_INI_ALL, OnUpdateTransSid) -	PHP_INI_ENTRY("session.hash_function",          "0",         PHP_INI_ALL, OnUpdateHashFunc) -	STD_PHP_INI_ENTRY("session.hash_bits_per_character", "4",    PHP_INI_ALL, OnUpdateLong,   hash_bits_per_character, php_ps_globals, ps_globals) +	PHP_INI_ENTRY("session.sid_length",             "32",        PHP_INI_ALL, OnUpdateSidLength) +	PHP_INI_ENTRY("session.sid_bits_per_character", "4",         PHP_INI_ALL, OnUpdateSidBits)  	STD_PHP_INI_BOOLEAN("session.lazy_write",       "1",         PHP_INI_ALL, OnUpdateBool,   lazy_write,         php_ps_globals,    ps_globals)  	/* Upload progress */ diff --git a/ext/session/tests/bug68063.phpt b/ext/session/tests/bug68063.phpt index ec3a70d156..d21a877631 100644 --- a/ext/session/tests/bug68063.phpt +++ b/ext/session/tests/bug68063.phpt @@ -4,8 +4,8 @@ Bug #68063 (Empty session IDs do still start sessions)  <?php include('skipif.inc'); ?>  --INI--  session.use_strict_mode=0 -session.hash_function=1 -session.hash_bits_per_character=4 +session.sid_length=40 +session.sid_bits_per_character=4  --FILE--  <?php  // Empty session ID may happen by browser bugs diff --git a/ext/session/tests/bug71186.phpt b/ext/session/tests/bug71186.phpt deleted file mode 100644 index 5eeba6035f..0000000000 --- a/ext/session/tests/bug71186.phpt +++ /dev/null @@ -1,32 +0,0 @@ ---TEST-- -Bug #71186 session.hash_function - algorithm changes ---SKIPIF-- -<?php include('skipif.inc'); ?> ---INI-- -session.hash_function=sha512 -session.save_handler=files ---FILE-- -<?php -ob_start(); -ini_set('session.use_strict_mode', 1); - -session_start(); -$orig = session_id(); -session_regenerate_id(); -$new = session_id(); -var_dump(strlen($orig),strlen($new)); -session_commit(); - -ini_set('session.hash_function','sha1'); -session_id('invalid'); -session_start(); -$orig = session_id(); -session_regenerate_id(); -$new = session_id(); -var_dump(strlen($orig),strlen($new)); -?> ---EXPECT-- -int(128) -int(128) -int(40) -int(40) diff --git a/ext/session/tests/rfc1867_sid_invalid.phpt b/ext/session/tests/rfc1867_sid_invalid.phpt index a9114e3e1d..7ff8f6bf0e 100644 --- a/ext/session/tests/rfc1867_sid_invalid.phpt +++ b/ext/session/tests/rfc1867_sid_invalid.phpt @@ -9,6 +9,7 @@ session.save_path=  session.name=PHPSESSID  session.use_cookies=1  session.use_only_cookies=0 +session.use_strict_mode=0  session.auto_start=0  session.upload_progress.enabled=1  session.upload_progress.cleanup=0 diff --git a/ext/session/tests/session_hash_function_basic.phpt b/ext/session/tests/session_hash_function_basic.phpt deleted file mode 100644 index a9c921581b..0000000000 --- a/ext/session/tests/session_hash_function_basic.phpt +++ /dev/null @@ -1,52 +0,0 @@ ---TEST-- -Test session.hash_function ini setting : basic functionality ---SKIPIF-- -<?php include('skipif.inc'); ?> ---INI-- -session.hash_bits_per_character=4 ---FILE-- -<?php - -ob_start(); - -echo "*** Testing session.hash_function : basic functionality ***\n"; - -var_dump(ini_set('session.hash_function', 'md5')); -var_dump(session_start()); -var_dump(!empty(session_id()), session_id()); -var_dump(session_destroy()); - -var_dump(ini_set('session.hash_function', 'sha1')); -var_dump(session_start()); -var_dump(!empty(session_id()), session_id()); -var_dump(session_destroy()); - -var_dump(ini_set('session.hash_function', 'none')); // Should fail -var_dump(session_start()); -var_dump(!empty(session_id()), session_id()); -var_dump(session_destroy()); - - -echo "Done"; -ob_end_flush(); -?> ---EXPECTF-- -*** Testing session.hash_function : basic functionality *** -string(1) "0" -bool(true) -bool(true) -string(32) "%s" -bool(true) -string(3) "md5" -bool(true) -bool(true) -string(40) "%s" -bool(true) - -Warning: ini_set(): session.configuration 'session.hash_function' must be existing hash function. none does not exist. in %s%esession_hash_function_basic.php on line 17 -bool(false) -bool(true) -bool(true) -string(40) "%s" -bool(true) -Done diff --git a/ext/session/tests/session_id_basic2.phpt b/ext/session/tests/session_id_basic2.phpt new file mode 100644 index 0000000000..4421a53910 --- /dev/null +++ b/ext/session/tests/session_id_basic2.phpt @@ -0,0 +1,38 @@ +--TEST-- +Test session_id() function : basic functionality +--SKIPIF-- +<?php include('skipif.inc'); ?> +--FILE-- +<?php + +ob_start(); + +/*  + * Prototype : string session_id([string $id]) + * Description : Get and/or set the current session id + * Source code : ext/session/session.c  + */ + +echo "*** Testing session_id() : basic functionality ***\n"; + +ini_set('session.sid_bits_per_chracter', 6); +ini_set('session.sid_length', 240); +session_start(); +var_dump(session_id()); +session_commit(); + +ini_set('session.sid_bits_per_chracter', 4); +ini_set('session.sid_length', 22); +session_start(); +session_regenerate_id(); +var_dump(session_id()); +session_commit(); + +echo "Done"; +?> +--EXPECTF-- +*** Testing session_id() : basic functionality *** +string(240) "%s" +string(22) "%s" +Done + diff --git a/ext/session/tests/session_id_error4.phpt b/ext/session/tests/session_id_error4.phpt deleted file mode 100644 index 6c1fdbcd6b..0000000000 --- a/ext/session/tests/session_id_error4.phpt +++ /dev/null @@ -1,37 +0,0 @@ ---TEST-- -Test session_id() function : error functionality ---SKIPIF-- -<?php include('skipif.inc'); ?> ---INI-- -session.hash_function=0 -session.hash_bits_per_character=4 ---FILE-- -<?php - -ob_start(); - -/*  - * Prototype : string session_id([string $id]) - * Description : Get and/or set the current session id - * Source code : ext/session/session.c  - */ - -echo "*** Testing session_id() : error functionality ***\n"; - -var_dump(ini_set("session.hash_function", -1)); -var_dump(session_id()); -var_dump(session_start()); -var_dump(session_id()); -var_dump(session_destroy()); - -echo "Done"; -ob_end_flush(); -?> ---EXPECTF-- -*** Testing session_id() : error functionality *** -string(1) "0" -string(0) "" -bool(true) -string(40) "%s" -bool(true) -Done diff --git a/ext/session/tests/session_id_variation1.phpt b/ext/session/tests/session_id_variation1.phpt deleted file mode 100644 index 983ca29170..0000000000 --- a/ext/session/tests/session_id_variation1.phpt +++ /dev/null @@ -1,48 +0,0 @@ ---TEST-- -Test session_id() function : variation ---SKIPIF-- -<?php include('skipif.inc'); ?> ---INI-- -session.hash_function=0 ---FILE-- -<?php - -ob_start(); - -/*  - * Prototype : string session_id([string $id]) - * Description : Get and/or set the current session id - * Source code : ext/session/session.c  - */ - -echo "*** Testing session_id() : variation ***\n"; - -var_dump(ini_set("session.hash_function", 0)); -var_dump(session_id()); -var_dump(session_start()); -var_dump(session_id()); -var_dump(session_destroy()); - -var_dump(ini_set("session.hash_function", 1)); -var_dump(session_id()); -var_dump(session_start()); -var_dump(session_id()); -var_dump(session_destroy()); - -echo "Done"; -ob_end_flush(); -?> ---EXPECTF-- -*** Testing session_id() : variation *** -string(1) "0" -string(0) "" -bool(true) -string(%d) "%s" -bool(true) -string(1) "0" -string(0) "" -bool(true) -string(%d) "%s" -bool(true) -Done - diff --git a/ext/session/tests/session_id_variation2.phpt b/ext/session/tests/session_id_variation2.phpt deleted file mode 100644 index f69aa44c0d..0000000000 --- a/ext/session/tests/session_id_variation2.phpt +++ /dev/null @@ -1,61 +0,0 @@ ---TEST-- -Test session_id() function : variation ---SKIPIF-- -<?php include('skipif.inc'); ?> ---INI-- -session.hash_function=0 -session.entropy_file= -session.entropy_length=0 ---FILE-- -<?php - -ob_start(); - -/*  - * Prototype : string session_id([string $id]) - * Description : Get and/or set the current session id - * Source code : ext/session/session.c  - */ - -echo "*** Testing session_id() : variation ***\n"; - -$directory = dirname(__FILE__); -$filename = ($directory."/entropy.txt"); -var_dump(ini_set("session.entropy_file", $filename)); -var_dump(file_put_contents($filename, "Hello World!")); -var_dump(ini_set("session.entropy_length", filesize($filename))); - -var_dump(ini_set("session.hash_function", 0)); -var_dump(session_id()); -var_dump(session_start()); -var_dump(session_id()); -var_dump(session_destroy()); - -var_dump(ini_set("session.hash_function", 1)); -var_dump(session_id()); -var_dump(session_start()); -var_dump(session_id()); -var_dump(session_destroy()); -var_dump(unlink($filename)); - -echo "Done"; -ob_end_flush(); -?> ---EXPECTF-- -*** Testing session_id() : variation *** -string(0) "" -int(12) -string(1) "0" -string(1) "0" -string(0) "" -bool(true) -string(%d) "%s" -bool(true) -string(1) "0" -string(0) "" -bool(true) -string(%d) "%s" -bool(true) -bool(true) -Done - diff --git a/ext/session/tests/session_set_save_handler_variation6.phpt b/ext/session/tests/session_set_save_handler_variation6.phpt index 8d53637668..357e6063ef 100644 --- a/ext/session/tests/session_set_save_handler_variation6.phpt +++ b/ext/session/tests/session_set_save_handler_variation6.phpt @@ -1,6 +1,7 @@  --TEST--  Test session_set_save_handler() function : test lazy_write  --INI-- +session.use_strict_mode=0  session.lazy_write=1  session.save_path=  session.name=PHPSESSID diff --git a/php.ini-development b/php.ini-development index 34a561851c..7bb3e3d71b 100644 --- a/php.ini-development +++ b/php.ini-development @@ -143,7 +143,7 @@  ;   Development Value: 1000  ;   Production Value: 1000 -; session.hash_bits_per_character +; session.sid_bits_per_character  ;   Default Value: 4  ;   Development Value: 5  ;   Production Value: 5 @@ -1415,19 +1415,6 @@ session.gc_maxlifetime = 1440  ; http://php.net/session.referer-check  session.referer_check = -; How many bytes to read from the file. -; http://php.net/session.entropy-length -;session.entropy_length = 32 - -; Specified here to create the session id. -; http://php.net/session.entropy-file -; Defaults to /dev/urandom -; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom -; If neither are found at compile time, the default is no entropy file. -; On windows, setting the entropy_length setting will activate the -; Windows random source (using the CryptoAPI) -;session.entropy_file = /dev/urandom -  ; Set to {nocache,private,public,} to determine HTTP caching aspects  ; or leave this empty to avoid sending anti-caching headers.  ; http://php.net/session.cache-limiter @@ -1449,6 +1436,15 @@ session.cache_expire = 180  ; http://php.net/session.use-trans-sid  session.use_trans_sid = 0 +; Set session ID character length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users should use 32 or more chars. +; http://php.net/session.sid_length +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 +  ; The URL rewriter will look for URLs in a defined set of HTML tags.  ; <form> is special; if you include them here, the rewriter will  ; add a hidden <input> field with the info which is otherwise appended @@ -1474,16 +1470,6 @@ session.trans_sid_tags = "a=href,area=href,frame=src,form="  ; Production Value: ""  ;session.trans_sid_hosts="" -; Select a hash function for use in generating session ids. -; Possible Values -;   0  (MD5 128 bits) -;   1  (SHA-1 160 bits) -; This option may also be set to the name of any hash function supported by -; the hash extension. A list of available hashes is returned by the hash_algos() -; function. -; http://php.net/session.hash-function -session.hash_function = 0 -  ; Define how many bits are stored in each character when converting  ; the binary hash data to something readable.  ; Possible values: @@ -1494,7 +1480,7 @@ session.hash_function = 0  ; Development Value: 5  ; Production Value: 5  ; http://php.net/session.hash-bits-per-character -session.hash_bits_per_character = 5 +session.sid_bits_per_character = 5  ; Enable upload progress tracking in $_SESSION  ; Default Value: On diff --git a/php.ini-production b/php.ini-production index e95b1cfb70..6cf245f85e 100644 --- a/php.ini-production +++ b/php.ini-production @@ -143,7 +143,7 @@  ;   Development Value: 1000  ;   Production Value: 1000 -; session.hash_bits_per_character +; session.sid_bits_per_character  ;   Default Value: 4  ;   Development Value: 5  ;   Production Value: 5 @@ -1415,19 +1415,6 @@ session.gc_maxlifetime = 1440  ; http://php.net/session.referer-check  session.referer_check = -; How many bytes to read from the file. -; http://php.net/session.entropy-length -;session.entropy_length = 32 - -; Specified here to create the session id. -; http://php.net/session.entropy-file -; Defaults to /dev/urandom -; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom -; If neither are found at compile time, the default is no entropy file. -; On windows, setting the entropy_length setting will activate the -; Windows random source (using the CryptoAPI) -;session.entropy_file = /dev/urandom -  ; Set to {nocache,private,public,} to determine HTTP caching aspects  ; or leave this empty to avoid sending anti-caching headers.  ; http://php.net/session.cache-limiter @@ -1449,6 +1436,15 @@ session.cache_expire = 180  ; http://php.net/session.use-trans-sid  session.use_trans_sid = 0 +; Set session ID character length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users should use 32 or more chars. +; http://php.net/session.sid_length +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 +  ; The URL rewriter will look for URLs in a defined set of HTML tags.  ; <form> is special; if you include them here, the rewriter will  ; add a hidden <input> field with the info which is otherwise appended @@ -1474,16 +1470,6 @@ session.trans_sid_tags = "a=href,area=href,frame=src,form="  ; Production Value: ""  ;session.trans_sid_hosts="" -; Select a hash function for use in generating session ids. -; Possible Values -;   0  (MD5 128 bits) -;   1  (SHA-1 160 bits) -; This option may also be set to the name of any hash function supported by -; the hash extension. A list of available hashes is returned by the hash_algos() -; function. -; http://php.net/session.hash-function -session.hash_function = 0 -  ; Define how many bits are stored in each character when converting  ; the binary hash data to something readable.  ; Possible values: @@ -1494,7 +1480,7 @@ session.hash_function = 0  ; Development Value: 5  ; Production Value: 5  ; http://php.net/session.hash-bits-per-character -session.hash_bits_per_character = 5 +session.sid_bits_per_character = 5  ; Enable upload progress tracking in $_SESSION  ; Default Value: On | 
