From: Yasuo Ohgaki Date: Fri, 12 Aug 2016 03:28:25 +0000 (+0900) Subject: Merge RFC: Session ID without hashing X-Git-Tag: php-7.1.0beta3~65 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3467526a65bfb15eaf9ec49a0b5673b84e26bca4;p=php Merge RFC: Session ID without hashing https://wiki.php.net/rfc/session-id-without-hashing --- diff --git a/NEWS b/NEWS index 55bf0bcd6a..1418b91b17 100644 --- a/NEWS +++ b/NEWS @@ -34,6 +34,10 @@ PHP NEWS . Add ReflectionNamedType::getName() and return leading "?" for nullable types from ReflectionType::__toString(). (Trowski) +- Session: + . Implemented RFC: Session ID without hashing. (Yasuo) + https://wiki.php.net/rfc/session-id-without-hashing + - SQLite3: . Updated to SQLite3 3.14.0. (cmb) diff --git a/UPGRADING b/UPGRADING index 6ec40e7619..33616627fc 100644 --- a/UPGRADING +++ b/UPGRADING @@ -89,6 +89,34 @@ PHP 7.1 UPGRADE NOTES - OpenSSL: . Dropped sslv2 stream. +- Session: + . Session ID is generated from CSPNG directly. As a result, Session ID length + could be any length between 22 and 256. Note: Max size of session ID depends + on save handler you are using. + . Following INIs are removed + . session.hash_function + . session.hash_bits_per_charactor + . session.entropy_file + . session.entropy_length + . New INIs and defaults + . session.sid_length (Number of session ID characters - 22 to 256. + (php.ini-* default: 26 Compitled default: 32) + . session.sid_bits_per_character (Bits used per character. 4 to 6. + php.ini-* default: 5 Compiled default: 4) + Length of old session ID string is determined as follows + . Used hash function's bits. + . session.hash_function=0 - MD5 128 bits (This was default) + . session.hash_function=1 - SHA1 192 bits + . Bits per character. (4, 5 or 6 bits per character) + . Examples + MD5 and 4 bits = 32 chars, ceil(128/4)=32 + MD5 and 5 bits = 26 chars, ceil(128/5)=26 + MD5 and 6 bits = 22 chars, ceil(128/6)=22 + SHA1 and 4 bits = 48 chars, ceil(192/4)=48 + SHA2 and 5 bits = 39 chars, ceil(192/5)=39 + SHA1 and 6 bits = 32 chars, ceil(192/6)=32 + and so on. + - Reflection: . The behavior of ReflectionMethod::invoke() and ::invokeArgs() has been aligned, what causes slightly different behavior than before for some @@ -280,8 +308,7 @@ PHP 7.1 UPGRADE NOTES . Custom session handlers that do not return strings for session IDs will now throw an instance of Error instead of resulting in a fatal error when a function is called that must generate a session ID. - . An invalid setting for session.hash_function will throw an instance of - Error instead of resulting in a fatal error when a session ID is created. + . Only CSPRNG is used to generate session ID. - SimpleXML: . Creating an unnamed or duplicate attribute will throw an instance of Error diff --git a/ext/session/php_session.h b/ext/session/php_session.h index 37e66a00b3..b693fd4b87 100644 --- a/ext/session/php_session.h +++ b/ext/session/php_session.h @@ -151,9 +151,7 @@ typedef struct _php_ps_globals { char *session_name; zend_string *id; char *extern_referer_chk; - char *entropy_file; char *cache_limiter; - zend_long entropy_length; zend_long cookie_lifetime; char *cookie_path; char *cookie_domain; @@ -191,11 +189,8 @@ typedef struct _php_ps_globals { zend_bool use_only_cookies; zend_bool use_trans_sid; /* contains the INI value of whether to use trans-sid */ - zend_long hash_func; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - php_hash_ops *hash_ops; -#endif - zend_long hash_bits_per_character; + zend_long sid_length; + zend_long sid_bits_per_character; int send_cookie; int define_sid; diff --git a/ext/session/session.c b/ext/session/session.c index 9c143e2fcf..1247a99804 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -40,13 +40,11 @@ #include "rfc1867.h" #include "php_variables.h" #include "php_session.h" -#include "ext/standard/md5.h" -#include "ext/standard/sha1.h" +#include "ext/standard/php_random.h" #include "ext/standard/php_var.h" #include "ext/date/php_date.h" #include "ext/standard/php_lcg.h" #include "ext/standard/url_scanner_ex.h" -#include "ext/standard/php_rand.h" /* for RAND_MAX */ #include "ext/standard/info.h" #include "zend_smart_str.h" #include "ext/standard/url.h" @@ -81,6 +79,8 @@ zend_class_entry *php_session_update_timestamp_class_entry; /* SessionUpdateTimestampInterface */ zend_class_entry *php_session_update_timestamp_iface_entry; +#define PS_MAX_SID_LENGTH 256 + /* *********** * Helpers * *********** */ @@ -259,17 +259,12 @@ static int php_session_decode(zend_string *data) /* {{{ */ static char hexconvtab[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-"; -enum { - PS_HASH_FUNC_MD5, - PS_HASH_FUNC_SHA1, - PS_HASH_FUNC_OTHER -}; - /* returns a pointer to the byte after the last valid character in out */ -static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* {{{ */ +static size_t bin_to_readable(unsigned char *in, size_t inlen, char *out, char nbits) /* {{{ */ { unsigned char *p, *q; unsigned short w; + size_t len = inlen; int mask; int have; @@ -280,7 +275,7 @@ static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* { have = 0; mask = (1 << nbits) - 1; - while (1) { + while (inlen--) { if (have < nbits) { if (p < q) { w |= *p++ << have; @@ -300,151 +295,24 @@ static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* { } *out = '\0'; - return out; + return len; } /* }}} */ +#define PS_EXTRA_RAND_BYTES 60 + PHPAPI zend_string *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */ { - PHP_MD5_CTX md5_context; - PHP_SHA1_CTX sha1_context; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - void *hash_context = NULL; -#endif - unsigned char *digest; - size_t digest_len; - char *buf; - struct timeval tv; - zval *array; - zval *token; + unsigned char rbuf[PS_MAX_SID_LENGTH + PS_EXTRA_RAND_BYTES]; zend_string *outid; - char *remote_addr = NULL; - - gettimeofday(&tv, NULL); - - if ((array = zend_hash_str_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER") - 1)) && - Z_TYPE_P(array) == IS_ARRAY && - (token = zend_hash_str_find(Z_ARRVAL_P(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR") - 1)) && - Z_TYPE_P(token) == IS_STRING - ) { - remote_addr = Z_STRVAL_P(token); - } - - /* maximum 15+19+19+10 bytes */ - spprintf(&buf, 0, "%.15s%ld" ZEND_LONG_FMT "%0.8F", remote_addr ? remote_addr : "", tv.tv_sec, (zend_long)tv.tv_usec, php_combined_lcg() * 10); - - switch (PS(hash_func)) { - case PS_HASH_FUNC_MD5: - PHP_MD5Init(&md5_context); - PHP_MD5Update(&md5_context, (unsigned char *) buf, strlen(buf)); - digest_len = 16; - break; - case PS_HASH_FUNC_SHA1: - PHP_SHA1Init(&sha1_context); - PHP_SHA1Update(&sha1_context, (unsigned char *) buf, strlen(buf)); - digest_len = 20; - break; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - case PS_HASH_FUNC_OTHER: - if (!PS(hash_ops)) { - efree(buf); - zend_throw_error(NULL, "Invalid session hash function"); - return NULL; - } - - hash_context = emalloc(PS(hash_ops)->context_size); - PS(hash_ops)->hash_init(hash_context); - PS(hash_ops)->hash_update(hash_context, (unsigned char *) buf, strlen(buf)); - digest_len = PS(hash_ops)->digest_size; - break; -#endif /* HAVE_HASH_EXT */ - default: - efree(buf); - zend_throw_error(NULL, "Invalid session hash function"); - return NULL; - } - efree(buf); - - if (PS(entropy_length) > 0) { -#ifdef PHP_WIN32 - unsigned char rbuf[2048]; - size_t toread = PS(entropy_length); - - if (php_win32_get_random_bytes(rbuf, MIN(toread, sizeof(rbuf))) == SUCCESS){ - - switch (PS(hash_func)) { - case PS_HASH_FUNC_MD5: - PHP_MD5Update(&md5_context, rbuf, toread); - break; - case PS_HASH_FUNC_SHA1: - PHP_SHA1Update(&sha1_context, rbuf, toread); - break; -# if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - case PS_HASH_FUNC_OTHER: - PS(hash_ops)->hash_update(hash_context, rbuf, toread); - break; -# endif /* HAVE_HASH_EXT */ - } - } -#else - int fd; - - fd = VCWD_OPEN(PS(entropy_file), O_RDONLY); - if (fd >= 0) { - unsigned char rbuf[2048]; - int n; - int to_read = PS(entropy_length); - - while (to_read > 0) { - n = read(fd, rbuf, MIN(to_read, sizeof(rbuf))); - if (n <= 0) break; - - switch (PS(hash_func)) { - case PS_HASH_FUNC_MD5: - PHP_MD5Update(&md5_context, rbuf, n); - break; - case PS_HASH_FUNC_SHA1: - PHP_SHA1Update(&sha1_context, rbuf, n); - break; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - case PS_HASH_FUNC_OTHER: - PS(hash_ops)->hash_update(hash_context, rbuf, n); - break; -#endif /* HAVE_HASH_EXT */ - } - to_read -= n; - } - close(fd); - } -#endif - } - digest = emalloc(digest_len + 1); - switch (PS(hash_func)) { - case PS_HASH_FUNC_MD5: - PHP_MD5Final(digest, &md5_context); - break; - case PS_HASH_FUNC_SHA1: - PHP_SHA1Final(digest, &sha1_context); - break; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - case PS_HASH_FUNC_OTHER: - PS(hash_ops)->hash_final(digest, hash_context); - efree(hash_context); - break; -#endif /* HAVE_HASH_EXT */ + /* Read additional PS_EXTRA_RAND_BYTES just in case CSPRNG is not safe enough */ + if (php_random_bytes_throw(rbuf, PS(sid_length) + PS_EXTRA_RAND_BYTES) == FAILURE) { + return NULL; } - if (PS(hash_bits_per_character) < 4 - || PS(hash_bits_per_character) > 6) { - PS(hash_bits_per_character) = 4; - - php_error_docref(NULL, E_WARNING, "The ini setting hash_bits_per_character is out of range (should be 4, 5, or 6) - using 4 for now"); - } - - outid = zend_string_alloc((digest_len + 2) * ((8.0f / PS(hash_bits_per_character) + 0.5)), 0); - ZSTR_LEN(outid) = (size_t)(bin_to_readable((char *)digest, digest_len, ZSTR_VAL(outid), (char)PS(hash_bits_per_character)) - (char *)&ZSTR_VAL(outid)); - efree(digest); + outid = zend_string_alloc(PS(sid_length), 0); + ZSTR_LEN(outid) = bin_to_readable(rbuf, PS(sid_length), ZSTR_VAL(outid), (char)PS(sid_bits_per_character)); return outid; } @@ -476,7 +344,7 @@ PHPAPI int php_session_valid_key(const char *key) /* {{{ */ /* Somewhat arbitrary length limit here, but should be way more than anyone needs and avoids file-level warnings later on if we exceed MAX_PATH */ - if (len == 0 || len > 128) { + if (len == 0 || len > PS_MAX_SID_LENGTH) { ret = FAILURE; } @@ -773,55 +641,43 @@ static PHP_INI_MH(OnUpdateName) /* {{{ */ } /* }}} */ -static PHP_INI_MH(OnUpdateHashFunc) /* {{{ */ +static PHP_INI_MH(OnUpdateSidLength) /* {{{ */ { zend_long val; char *endptr = NULL; -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) - PS(hash_ops) = NULL; -#endif - val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10); - if (endptr && (*endptr == '\0')) { + if (endptr && (*endptr == '\0') + && val >= 22 && val <= PS_MAX_SID_LENGTH) { /* Numeric value */ - PS(hash_func) = val ? 1 : 0; - + PS(sid_length) = val; return SUCCESS; } - if (ZSTR_LEN(new_value) == (sizeof("md5") - 1) && - strncasecmp(ZSTR_VAL(new_value), "md5", sizeof("md5") - 1) == 0) { - PS(hash_func) = PS_HASH_FUNC_MD5; - - return SUCCESS; - } - - if (ZSTR_LEN(new_value) == (sizeof("sha1") - 1) && - strncasecmp(ZSTR_VAL(new_value), "sha1", sizeof("sha1") - 1) == 0) { - PS(hash_func) = PS_HASH_FUNC_SHA1; - - return SUCCESS; - } + php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_length' must be between 22 and 256."); + return FAILURE; +} +/* }}} */ -#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) /* {{{ */ +static PHP_INI_MH(OnUpdateSidBits) /* {{{ */ { - php_hash_ops *ops = (php_hash_ops*)php_hash_fetch_ops(ZSTR_VAL(new_value), ZSTR_LEN(new_value)); - - if (ops) { - PS(hash_func) = PS_HASH_FUNC_OTHER; - PS(hash_ops) = ops; + zend_long val; + char *endptr = NULL; + val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10); + if (endptr && (*endptr == '\0') + && val >= 4 && val <=6) { + /* Numeric value */ + PS(sid_bits_per_character) = val; return SUCCESS; } -} -#endif /* HAVE_HASH_EXT }}} */ - php_error_docref(NULL, E_WARNING, "session.configuration 'session.hash_function' must be existing hash function. %s does not exist.", ZSTR_VAL(new_value)); + php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_bits' must be between 4 and 6."); return FAILURE; } /* }}} */ + static PHP_INI_MH(OnUpdateRfc1867Freq) /* {{{ */ { int tmp; @@ -862,21 +718,11 @@ PHP_INI_BEGIN() STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals) STD_PHP_INI_BOOLEAN("session.use_strict_mode", "0", PHP_INI_ALL, OnUpdateBool, use_strict_mode, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals) -#if HAVE_DEV_URANDOM - STD_PHP_INI_ENTRY("session.entropy_file", "/dev/urandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) - STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) -#elif HAVE_DEV_ARANDOM - STD_PHP_INI_ENTRY("session.entropy_file", "/dev/arandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) - STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) -#else - STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals) - STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals) -#endif STD_PHP_INI_ENTRY("session.cache_limiter", "nocache", PHP_INI_ALL, OnUpdateString, cache_limiter, php_ps_globals, ps_globals) STD_PHP_INI_ENTRY("session.cache_expire", "180", PHP_INI_ALL, OnUpdateLong, cache_expire, php_ps_globals, ps_globals) PHP_INI_ENTRY("session.use_trans_sid", "0", PHP_INI_ALL, OnUpdateTransSid) - PHP_INI_ENTRY("session.hash_function", "0", PHP_INI_ALL, OnUpdateHashFunc) - STD_PHP_INI_ENTRY("session.hash_bits_per_character", "4", PHP_INI_ALL, OnUpdateLong, hash_bits_per_character, php_ps_globals, ps_globals) + PHP_INI_ENTRY("session.sid_length", "32", PHP_INI_ALL, OnUpdateSidLength) + PHP_INI_ENTRY("session.sid_bits_per_character", "4", PHP_INI_ALL, OnUpdateSidBits) STD_PHP_INI_BOOLEAN("session.lazy_write", "1", PHP_INI_ALL, OnUpdateBool, lazy_write, php_ps_globals, ps_globals) /* Upload progress */ diff --git a/ext/session/tests/bug68063.phpt b/ext/session/tests/bug68063.phpt index ec3a70d156..d21a877631 100644 --- a/ext/session/tests/bug68063.phpt +++ b/ext/session/tests/bug68063.phpt @@ -4,8 +4,8 @@ Bug #68063 (Empty session IDs do still start sessions) --INI-- session.use_strict_mode=0 -session.hash_function=1 -session.hash_bits_per_character=4 +session.sid_length=40 +session.sid_bits_per_character=4 --FILE-- ---INI-- -session.hash_function=sha512 -session.save_handler=files ---FILE-- - ---EXPECT-- -int(128) -int(128) -int(40) -int(40) diff --git a/ext/session/tests/rfc1867_sid_invalid.phpt b/ext/session/tests/rfc1867_sid_invalid.phpt index a9114e3e1d..7ff8f6bf0e 100644 --- a/ext/session/tests/rfc1867_sid_invalid.phpt +++ b/ext/session/tests/rfc1867_sid_invalid.phpt @@ -9,6 +9,7 @@ session.save_path= session.name=PHPSESSID session.use_cookies=1 session.use_only_cookies=0 +session.use_strict_mode=0 session.auto_start=0 session.upload_progress.enabled=1 session.upload_progress.cleanup=0 diff --git a/ext/session/tests/session_hash_function_basic.phpt b/ext/session/tests/session_hash_function_basic.phpt deleted file mode 100644 index a9c921581b..0000000000 --- a/ext/session/tests/session_hash_function_basic.phpt +++ /dev/null @@ -1,52 +0,0 @@ ---TEST-- -Test session.hash_function ini setting : basic functionality ---SKIPIF-- - ---INI-- -session.hash_bits_per_character=4 ---FILE-- - ---EXPECTF-- -*** Testing session.hash_function : basic functionality *** -string(1) "0" -bool(true) -bool(true) -string(32) "%s" -bool(true) -string(3) "md5" -bool(true) -bool(true) -string(40) "%s" -bool(true) - -Warning: ini_set(): session.configuration 'session.hash_function' must be existing hash function. none does not exist. in %s%esession_hash_function_basic.php on line 17 -bool(false) -bool(true) -bool(true) -string(40) "%s" -bool(true) -Done diff --git a/ext/session/tests/session_id_basic2.phpt b/ext/session/tests/session_id_basic2.phpt new file mode 100644 index 0000000000..4421a53910 --- /dev/null +++ b/ext/session/tests/session_id_basic2.phpt @@ -0,0 +1,38 @@ +--TEST-- +Test session_id() function : basic functionality +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +*** Testing session_id() : basic functionality *** +string(240) "%s" +string(22) "%s" +Done + diff --git a/ext/session/tests/session_id_error4.phpt b/ext/session/tests/session_id_error4.phpt deleted file mode 100644 index 6c1fdbcd6b..0000000000 --- a/ext/session/tests/session_id_error4.phpt +++ /dev/null @@ -1,37 +0,0 @@ ---TEST-- -Test session_id() function : error functionality ---SKIPIF-- - ---INI-- -session.hash_function=0 -session.hash_bits_per_character=4 ---FILE-- - ---EXPECTF-- -*** Testing session_id() : error functionality *** -string(1) "0" -string(0) "" -bool(true) -string(40) "%s" -bool(true) -Done diff --git a/ext/session/tests/session_id_variation1.phpt b/ext/session/tests/session_id_variation1.phpt deleted file mode 100644 index 983ca29170..0000000000 --- a/ext/session/tests/session_id_variation1.phpt +++ /dev/null @@ -1,48 +0,0 @@ ---TEST-- -Test session_id() function : variation ---SKIPIF-- - ---INI-- -session.hash_function=0 ---FILE-- - ---EXPECTF-- -*** Testing session_id() : variation *** -string(1) "0" -string(0) "" -bool(true) -string(%d) "%s" -bool(true) -string(1) "0" -string(0) "" -bool(true) -string(%d) "%s" -bool(true) -Done - diff --git a/ext/session/tests/session_id_variation2.phpt b/ext/session/tests/session_id_variation2.phpt deleted file mode 100644 index f69aa44c0d..0000000000 --- a/ext/session/tests/session_id_variation2.phpt +++ /dev/null @@ -1,61 +0,0 @@ ---TEST-- -Test session_id() function : variation ---SKIPIF-- - ---INI-- -session.hash_function=0 -session.entropy_file= -session.entropy_length=0 ---FILE-- - ---EXPECTF-- -*** Testing session_id() : variation *** -string(0) "" -int(12) -string(1) "0" -string(1) "0" -string(0) "" -bool(true) -string(%d) "%s" -bool(true) -string(1) "0" -string(0) "" -bool(true) -string(%d) "%s" -bool(true) -bool(true) -Done - diff --git a/ext/session/tests/session_set_save_handler_variation6.phpt b/ext/session/tests/session_set_save_handler_variation6.phpt index 8d53637668..357e6063ef 100644 --- a/ext/session/tests/session_set_save_handler_variation6.phpt +++ b/ext/session/tests/session_set_save_handler_variation6.phpt @@ -1,6 +1,7 @@ --TEST-- Test session_set_save_handler() function : test lazy_write --INI-- +session.use_strict_mode=0 session.lazy_write=1 session.save_path= session.name=PHPSESSID diff --git a/php.ini-development b/php.ini-development index 34a561851c..7bb3e3d71b 100644 --- a/php.ini-development +++ b/php.ini-development @@ -143,7 +143,7 @@ ; Development Value: 1000 ; Production Value: 1000 -; session.hash_bits_per_character +; session.sid_bits_per_character ; Default Value: 4 ; Development Value: 5 ; Production Value: 5 @@ -1415,19 +1415,6 @@ session.gc_maxlifetime = 1440 ; http://php.net/session.referer-check session.referer_check = -; How many bytes to read from the file. -; http://php.net/session.entropy-length -;session.entropy_length = 32 - -; Specified here to create the session id. -; http://php.net/session.entropy-file -; Defaults to /dev/urandom -; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom -; If neither are found at compile time, the default is no entropy file. -; On windows, setting the entropy_length setting will activate the -; Windows random source (using the CryptoAPI) -;session.entropy_file = /dev/urandom - ; Set to {nocache,private,public,} to determine HTTP caching aspects ; or leave this empty to avoid sending anti-caching headers. ; http://php.net/session.cache-limiter @@ -1449,6 +1436,15 @@ session.cache_expire = 180 ; http://php.net/session.use-trans-sid session.use_trans_sid = 0 +; Set session ID character length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users should use 32 or more chars. +; http://php.net/session.sid_length +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 + ; The URL rewriter will look for URLs in a defined set of HTML tags. ;
is special; if you include them here, the rewriter will ; add a hidden field with the info which is otherwise appended @@ -1474,16 +1470,6 @@ session.trans_sid_tags = "a=href,area=href,frame=src,form=" ; Production Value: "" ;session.trans_sid_hosts="" -; Select a hash function for use in generating session ids. -; Possible Values -; 0 (MD5 128 bits) -; 1 (SHA-1 160 bits) -; This option may also be set to the name of any hash function supported by -; the hash extension. A list of available hashes is returned by the hash_algos() -; function. -; http://php.net/session.hash-function -session.hash_function = 0 - ; Define how many bits are stored in each character when converting ; the binary hash data to something readable. ; Possible values: @@ -1494,7 +1480,7 @@ session.hash_function = 0 ; Development Value: 5 ; Production Value: 5 ; http://php.net/session.hash-bits-per-character -session.hash_bits_per_character = 5 +session.sid_bits_per_character = 5 ; Enable upload progress tracking in $_SESSION ; Default Value: On diff --git a/php.ini-production b/php.ini-production index e95b1cfb70..6cf245f85e 100644 --- a/php.ini-production +++ b/php.ini-production @@ -143,7 +143,7 @@ ; Development Value: 1000 ; Production Value: 1000 -; session.hash_bits_per_character +; session.sid_bits_per_character ; Default Value: 4 ; Development Value: 5 ; Production Value: 5 @@ -1415,19 +1415,6 @@ session.gc_maxlifetime = 1440 ; http://php.net/session.referer-check session.referer_check = -; How many bytes to read from the file. -; http://php.net/session.entropy-length -;session.entropy_length = 32 - -; Specified here to create the session id. -; http://php.net/session.entropy-file -; Defaults to /dev/urandom -; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom -; If neither are found at compile time, the default is no entropy file. -; On windows, setting the entropy_length setting will activate the -; Windows random source (using the CryptoAPI) -;session.entropy_file = /dev/urandom - ; Set to {nocache,private,public,} to determine HTTP caching aspects ; or leave this empty to avoid sending anti-caching headers. ; http://php.net/session.cache-limiter @@ -1449,6 +1436,15 @@ session.cache_expire = 180 ; http://php.net/session.use-trans-sid session.use_trans_sid = 0 +; Set session ID character length. This value could be between 22 to 256. +; Shorter length than default is supported only for compatibility reason. +; Users should use 32 or more chars. +; http://php.net/session.sid_length +; Default Value: 32 +; Development Value: 26 +; Production Value: 26 +session.sid_length = 26 + ; The URL rewriter will look for URLs in a defined set of HTML tags. ; is special; if you include them here, the rewriter will ; add a hidden field with the info which is otherwise appended @@ -1474,16 +1470,6 @@ session.trans_sid_tags = "a=href,area=href,frame=src,form=" ; Production Value: "" ;session.trans_sid_hosts="" -; Select a hash function for use in generating session ids. -; Possible Values -; 0 (MD5 128 bits) -; 1 (SHA-1 160 bits) -; This option may also be set to the name of any hash function supported by -; the hash extension. A list of available hashes is returned by the hash_algos() -; function. -; http://php.net/session.hash-function -session.hash_function = 0 - ; Define how many bits are stored in each character when converting ; the binary hash data to something readable. ; Possible values: @@ -1494,7 +1480,7 @@ session.hash_function = 0 ; Development Value: 5 ; Production Value: 5 ; http://php.net/session.hash-bits-per-character -session.hash_bits_per_character = 5 +session.sid_bits_per_character = 5 ; Enable upload progress tracking in $_SESSION ; Default Value: On