Skip to content

Instantly share code, notes, and snippets.

@yohgaki

yohgaki/master-rfc-session-without-hashing.patch

Created August 4, 2016 06:42
Show Gist options
  • Save yohgaki/7160a05a3a8f8d012833499ea32b451b to your computer and use it in GitHub Desktop.
Save yohgaki/7160a05a3a8f8d012833499ea32b451b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
master-rfc-session-without-hashing.patch
diff --git a/UPGRADING b/UPGRADING
index 5400a2e..56221f4 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -71,6 +71,25 @@ PHP 7.1 UPGRADE NOTES
- OpenSSL:
. Dropped sslv2 stream.
+- Session:
+ . Session ID is generated from CSPNG directly. As a result, Session ID length
+ could be any length between 22 and 256. Note: Max size of session ID depends
+ on save handler you are using.
+ . Following INIs are removed
+ . session.hash_function
+ . session.hash_bits_per_charactor
+ . session.entropy_file
+ . session.entropy_length
+ . New INIs and defaults
+ . session.sid_length (Number of session ID characters - 22 to 256. Default: 32)
+ . session.sid_bits_per_character (Bits used per byte. 4 to 6. Default: 4)
+ . If you were using session.hash_func=1(SHA1) and session.hash_bits_per_charactor=6
+ Use following INIs to achive the same or better session ID strength.
+ . session.sid_length=32
+ . session.sid_bits_per_character=6
+
+
+
========================================
2. New Features
========================================
@@ -238,8 +257,7 @@ PHP 7.1 UPGRADE NOTES
. Custom session handlers that do not return strings for session IDs will
now throw an instance of Error instead of resulting in a fatal error
when a function is called that must generate a session ID.
- . An invalid setting for session.hash_function will throw an instance of
- Error instead of resulting in a fatal error when a session ID is created.
+ . Only CSPRNG is used to generate session ID.
- SimpleXML:
. Creating an unnamed or duplicate attribute will throw an instance of Error
diff --git a/ext/session/php_session.h b/ext/session/php_session.h
index 37e66a0..b693fd4 100644
--- a/ext/session/php_session.h
+++ b/ext/session/php_session.h
@@ -151,9 +151,7 @@ typedef struct _php_ps_globals {
char *session_name;
zend_string *id;
char *extern_referer_chk;
- char *entropy_file;
char *cache_limiter;
- zend_long entropy_length;
zend_long cookie_lifetime;
char *cookie_path;
char *cookie_domain;
@@ -191,11 +189,8 @@ typedef struct _php_ps_globals {
zend_bool use_only_cookies;
zend_bool use_trans_sid; /* contains the INI value of whether to use trans-sid */
- zend_long hash_func;
-#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
- php_hash_ops *hash_ops;
-#endif
- zend_long hash_bits_per_character;
+ zend_long sid_length;
+ zend_long sid_bits_per_character;
int send_cookie;
int define_sid;
diff --git a/ext/session/session.c b/ext/session/session.c
index bbf5b0f..9f7e471 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -40,13 +40,11 @@
#include "rfc1867.h"
#include "php_variables.h"
#include "php_session.h"
-#include "ext/standard/md5.h"
-#include "ext/standard/sha1.h"
+#include "ext/standard/php_random.h"
#include "ext/standard/php_var.h"
#include "ext/date/php_date.h"
#include "ext/standard/php_lcg.h"
#include "ext/standard/url_scanner_ex.h"
-#include "ext/standard/php_rand.h" /* for RAND_MAX */
#include "ext/standard/info.h"
#include "zend_smart_str.h"
#include "ext/standard/url.h"
@@ -81,6 +79,8 @@ zend_class_entry *php_session_update_timestamp_class_entry;
/* SessionUpdateTimestampInterface */
zend_class_entry *php_session_update_timestamp_iface_entry;
+#define PS_MAX_SID_LENGTH 256
+
/* ***********
* Helpers *
*********** */
@@ -259,17 +259,12 @@ static int php_session_decode(zend_string *data) /* {{{ */
static char hexconvtab[] = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,-";
-enum {
- PS_HASH_FUNC_MD5,
- PS_HASH_FUNC_SHA1,
- PS_HASH_FUNC_OTHER
-};
-
/* returns a pointer to the byte after the last valid character in out */
-static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* {{{ */
+static size_t bin_to_readable(unsigned char *in, size_t inlen, char *out, char nbits) /* {{{ */
{
unsigned char *p, *q;
unsigned short w;
+ size_t len = inlen;
int mask;
int have;
@@ -280,7 +275,7 @@ static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* {
have = 0;
mask = (1 << nbits) - 1;
- while (1) {
+ while (inlen--) {
if (have < nbits) {
if (p < q) {
w |= *p++ << have;
@@ -300,151 +295,24 @@ static char *bin_to_readable(char *in, size_t inlen, char *out, char nbits) /* {
}
*out = '\0';
- return out;
+ return len;
}
/* }}} */
+#define PS_EXTRA_RAND_BYTES 60
+
PHPAPI zend_string *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */
{
- PHP_MD5_CTX md5_context;
- PHP_SHA1_CTX sha1_context;
-#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
- void *hash_context = NULL;
-#endif
- unsigned char *digest;
- size_t digest_len;
- char *buf;
- struct timeval tv;
- zval *array;
- zval *token;
+ unsigned char rbuf[PS_MAX_SID_LENGTH + PS_EXTRA_RAND_BYTES];
zend_string *outid;
- char *remote_addr = NULL;
-
- gettimeofday(&tv, NULL);
-
- if ((array = zend_hash_str_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER") - 1)) &&
- Z_TYPE_P(array) == IS_ARRAY &&
- (token = zend_hash_str_find(Z_ARRVAL_P(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR") - 1)) &&
- Z_TYPE_P(token) == IS_STRING
- ) {
- remote_addr = Z_STRVAL_P(token);
- }
-
- /* maximum 15+19+19+10 bytes */
- spprintf(&buf, 0, "%.15s%ld" ZEND_LONG_FMT "%0.8F", remote_addr ? remote_addr : "", tv.tv_sec, (zend_long)tv.tv_usec, php_combined_lcg() * 10);
-
- switch (PS(hash_func)) {
- case PS_HASH_FUNC_MD5:
- PHP_MD5Init(&md5_context);
- PHP_MD5Update(&md5_context, (unsigned char *) buf, strlen(buf));
- digest_len = 16;
- break;
- case PS_HASH_FUNC_SHA1:
- PHP_SHA1Init(&sha1_context);
- PHP_SHA1Update(&sha1_context, (unsigned char *) buf, strlen(buf));
- digest_len = 20;
- break;
-#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
- case PS_HASH_FUNC_OTHER:
- if (!PS(hash_ops)) {
- efree(buf);
- zend_throw_error(NULL, "Invalid session hash function");
- return NULL;
- }
-
- hash_context = emalloc(PS(hash_ops)->context_size);
- PS(hash_ops)->hash_init(hash_context);
- PS(hash_ops)->hash_update(hash_context, (unsigned char *) buf, strlen(buf));
- digest_len = PS(hash_ops)->digest_size;
- break;
-#endif /* HAVE_HASH_EXT */
- default:
- efree(buf);
- zend_throw_error(NULL, "Invalid session hash function");
- return NULL;
- }
- efree(buf);
-
- if (PS(entropy_length) > 0) {
-#ifdef PHP_WIN32
- unsigned char rbuf[2048];
- size_t toread = PS(entropy_length);
-
- if (php_win32_get_random_bytes(rbuf, MIN(toread, sizeof(rbuf))) == SUCCESS){
-
- switch (PS(hash_func)) {
- case PS_HASH_FUNC_MD5:
- PHP_MD5Update(&md5_context, rbuf, toread);
- break;
- case PS_HASH_FUNC_SHA1:
- PHP_SHA1Update(&sha1_context, rbuf, toread);
- break;
-# if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
- case PS_HASH_FUNC_OTHER:
- PS(hash_ops)->hash_update(hash_context, rbuf, toread);
- break;
-# endif /* HAVE_HASH_EXT */
- }
- }
-#else
- int fd;
-
- fd = VCWD_OPEN(PS(entropy_file), O_RDONLY);
- if (fd >= 0) {
- unsigned char rbuf[2048];
- int n;
- int to_read = PS(entropy_length);
-
- while (to_read > 0) {
- n = read(fd, rbuf, MIN(to_read, sizeof(rbuf)));
- if (n <= 0) break;
-
- switch (PS(hash_func)) {
- case PS_HASH_FUNC_MD5:
- PHP_MD5Update(&md5_context, rbuf, n);
- break;
- case PS_HASH_FUNC_SHA1:
- PHP_SHA1Update(&sha1_context, rbuf, n);
- break;
-#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
- case PS_HASH_FUNC_OTHER:
- PS(hash_ops)->hash_update(hash_context, rbuf, n);
- break;
-#endif /* HAVE_HASH_EXT */
- }
- to_read -= n;
- }
- close(fd);
- }
-#endif
- }
- digest = emalloc(digest_len + 1);
- switch (PS(hash_func)) {
- case PS_HASH_FUNC_MD5:
- PHP_MD5Final(digest, &md5_context);
- break;
- case PS_HASH_FUNC_SHA1:
- PHP_SHA1Final(digest, &sha1_context);
- break;
-#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
- case PS_HASH_FUNC_OTHER:
- PS(hash_ops)->hash_final(digest, hash_context);
- efree(hash_context);
- break;
-#endif /* HAVE_HASH_EXT */
+ /* Read additional PS_EXTRA_RAND_BYTES just in case CSPRNG is not safe enough */
+ if (php_random_bytes_throw(rbuf, PS(sid_length) + PS_EXTRA_RAND_BYTES) == FAILURE) {
+ return NULL;
}
- if (PS(hash_bits_per_character) < 4
- || PS(hash_bits_per_character) > 6) {
- PS(hash_bits_per_character) = 4;
-
- php_error_docref(NULL, E_WARNING, "The ini setting hash_bits_per_character is out of range (should be 4, 5, or 6) - using 4 for now");
- }
-
- outid = zend_string_alloc((digest_len + 2) * ((8.0f / PS(hash_bits_per_character) + 0.5)), 0);
- ZSTR_LEN(outid) = (size_t)(bin_to_readable((char *)digest, digest_len, ZSTR_VAL(outid), (char)PS(hash_bits_per_character)) - (char *)&ZSTR_VAL(outid));
- efree(digest);
+ outid = zend_string_alloc(PS(sid_length), 0);
+ ZSTR_LEN(outid) = bin_to_readable(rbuf, PS(sid_length), ZSTR_VAL(outid), (char)PS(sid_bits_per_character));
return outid;
}
@@ -476,7 +344,7 @@ PHPAPI int php_session_valid_key(const char *key) /* {{{ */
/* Somewhat arbitrary length limit here, but should be way more than
anyone needs and avoids file-level warnings later on if we exceed MAX_PATH */
- if (len == 0 || len > 128) {
+ if (len == 0 || len > PS_MAX_SID_LENGTH) {
ret = FAILURE;
}
@@ -773,55 +641,43 @@ static PHP_INI_MH(OnUpdateName) /* {{{ */
}
/* }}} */
-static PHP_INI_MH(OnUpdateHashFunc) /* {{{ */
+static PHP_INI_MH(OnUpdateSidLength) /* {{{ */
{
zend_long val;
char *endptr = NULL;
-#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH)
- PS(hash_ops) = NULL;
-#endif
-
val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10);
- if (endptr && (*endptr == '\0')) {
+ if (endptr && (*endptr == '\0')
+ && val >= 22 && val <= PS_MAX_SID_LENGTH) {
/* Numeric value */
- PS(hash_func) = val ? 1 : 0;
-
+ PS(sid_length) = val;
return SUCCESS;
}
- if (ZSTR_LEN(new_value) == (sizeof("md5") - 1) &&
- strncasecmp(ZSTR_VAL(new_value), "md5", sizeof("md5") - 1) == 0) {
- PS(hash_func) = PS_HASH_FUNC_MD5;
-
- return SUCCESS;
- }
-
- if (ZSTR_LEN(new_value) == (sizeof("sha1") - 1) &&
- strncasecmp(ZSTR_VAL(new_value), "sha1", sizeof("sha1") - 1) == 0) {
- PS(hash_func) = PS_HASH_FUNC_SHA1;
-
- return SUCCESS;
- }
+ php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_length' must be between 22 and 256.");
+ return FAILURE;
+}
+/* }}} */
-#if defined(HAVE_HASH_EXT) && !defined(COMPILE_DL_HASH) /* {{{ */
+static PHP_INI_MH(OnUpdateSidBits) /* {{{ */
{
- php_hash_ops *ops = (php_hash_ops*)php_hash_fetch_ops(ZSTR_VAL(new_value), ZSTR_LEN(new_value));
-
- if (ops) {
- PS(hash_func) = PS_HASH_FUNC_OTHER;
- PS(hash_ops) = ops;
+ zend_long val;
+ char *endptr = NULL;
+ val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10);
+ if (endptr && (*endptr == '\0')
+ && val >= 4 && val <=6) {
+ /* Numeric value */
+ PS(sid_bits_per_character) = val;
return SUCCESS;
}
-}
-#endif /* HAVE_HASH_EXT }}} */
- php_error_docref(NULL, E_WARNING, "session.configuration 'session.hash_function' must be existing hash function. %s does not exist.", ZSTR_VAL(new_value));
+ php_error_docref(NULL, E_WARNING, "session.configuration 'session.sid_bits' must be between 4 and 6.");
return FAILURE;
}
/* }}} */
+
static PHP_INI_MH(OnUpdateRfc1867Freq) /* {{{ */
{
int tmp;
@@ -862,21 +718,11 @@ PHP_INI_BEGIN()
STD_PHP_INI_BOOLEAN("session.use_only_cookies", "1", PHP_INI_ALL, OnUpdateBool, use_only_cookies, php_ps_globals, ps_globals)
STD_PHP_INI_BOOLEAN("session.use_strict_mode", "0", PHP_INI_ALL, OnUpdateBool, use_strict_mode, php_ps_globals, ps_globals)
STD_PHP_INI_ENTRY("session.referer_check", "", PHP_INI_ALL, OnUpdateString, extern_referer_chk, php_ps_globals, ps_globals)
-#if HAVE_DEV_URANDOM
- STD_PHP_INI_ENTRY("session.entropy_file", "/dev/urandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals)
- STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals)
-#elif HAVE_DEV_ARANDOM
- STD_PHP_INI_ENTRY("session.entropy_file", "/dev/arandom", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals)
- STD_PHP_INI_ENTRY("session.entropy_length", "32", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals)
-#else
- STD_PHP_INI_ENTRY("session.entropy_file", "", PHP_INI_ALL, OnUpdateString, entropy_file, php_ps_globals, ps_globals)
- STD_PHP_INI_ENTRY("session.entropy_length", "0", PHP_INI_ALL, OnUpdateLong, entropy_length, php_ps_globals, ps_globals)
-#endif
STD_PHP_INI_ENTRY("session.cache_limiter", "nocache", PHP_INI_ALL, OnUpdateString, cache_limiter, php_ps_globals, ps_globals)
STD_PHP_INI_ENTRY("session.cache_expire", "180", PHP_INI_ALL, OnUpdateLong, cache_expire, php_ps_globals, ps_globals)
PHP_INI_ENTRY("session.use_trans_sid", "0", PHP_INI_ALL, OnUpdateTransSid)
- PHP_INI_ENTRY("session.hash_function", "0", PHP_INI_ALL, OnUpdateHashFunc)
- STD_PHP_INI_ENTRY("session.hash_bits_per_character", "4", PHP_INI_ALL, OnUpdateLong, hash_bits_per_character, php_ps_globals, ps_globals)
+ PHP_INI_ENTRY("session.sid_length", "32", PHP_INI_ALL, OnUpdateSidLength)
+ PHP_INI_ENTRY("session.sid_bits_per_character", "4", PHP_INI_ALL, OnUpdateSidBits)
STD_PHP_INI_BOOLEAN("session.lazy_write", "1", PHP_INI_ALL, OnUpdateBool, lazy_write, php_ps_globals, ps_globals)
/* Upload progress */
diff --git a/ext/session/tests/bug68063.phpt b/ext/session/tests/bug68063.phpt
index ec3a70d..d21a877 100644
--- a/ext/session/tests/bug68063.phpt
+++ b/ext/session/tests/bug68063.phpt
@@ -4,8 +4,8 @@ Bug #68063 (Empty session IDs do still start sessions)
<?php include('skipif.inc'); ?>
--INI--
session.use_strict_mode=0
-session.hash_function=1
-session.hash_bits_per_character=4
+session.sid_length=40
+session.sid_bits_per_character=4
--FILE--
<?php
// Empty session ID may happen by browser bugs
diff --git a/ext/session/tests/bug71186.phpt b/ext/session/tests/bug71186.phpt
deleted file mode 100644
index 5eeba60..0000000
--- a/ext/session/tests/bug71186.phpt
+++ /dev/null
@@ -1,32 +0,0 @@
---TEST--
-Bug #71186 session.hash_function - algorithm changes
---SKIPIF--
-<?php include('skipif.inc'); ?>
---INI--
-session.hash_function=sha512
-session.save_handler=files
---FILE--
-<?php
-ob_start();
-ini_set('session.use_strict_mode', 1);
-
-session_start();
-$orig = session_id();
-session_regenerate_id();
-$new = session_id();
-var_dump(strlen($orig),strlen($new));
-session_commit();
-
-ini_set('session.hash_function','sha1');
-session_id('invalid');
-session_start();
-$orig = session_id();
-session_regenerate_id();
-$new = session_id();
-var_dump(strlen($orig),strlen($new));
-?>
---EXPECT--
-int(128)
-int(128)
-int(40)
-int(40)
diff --git a/ext/session/tests/rfc1867_sid_invalid.phpt b/ext/session/tests/rfc1867_sid_invalid.phpt
index a9114e3..7ff8f6b 100644
--- a/ext/session/tests/rfc1867_sid_invalid.phpt
+++ b/ext/session/tests/rfc1867_sid_invalid.phpt
@@ -9,6 +9,7 @@ session.save_path=
session.name=PHPSESSID
session.use_cookies=1
session.use_only_cookies=0
+session.use_strict_mode=0
session.auto_start=0
session.upload_progress.enabled=1
session.upload_progress.cleanup=0
diff --git a/ext/session/tests/session_hash_function_basic.phpt b/ext/session/tests/session_hash_function_basic.phpt
deleted file mode 100644
index a9c9215..0000000
--- a/ext/session/tests/session_hash_function_basic.phpt
+++ /dev/null
@@ -1,52 +0,0 @@
---TEST--
-Test session.hash_function ini setting : basic functionality
---SKIPIF--
-<?php include('skipif.inc'); ?>
---INI--
-session.hash_bits_per_character=4
---FILE--
-<?php
-
-ob_start();
-
-echo "*** Testing session.hash_function : basic functionality ***\n";
-
-var_dump(ini_set('session.hash_function', 'md5'));
-var_dump(session_start());
-var_dump(!empty(session_id()), session_id());
-var_dump(session_destroy());
-
-var_dump(ini_set('session.hash_function', 'sha1'));
-var_dump(session_start());
-var_dump(!empty(session_id()), session_id());
-var_dump(session_destroy());
-
-var_dump(ini_set('session.hash_function', 'none')); // Should fail
-var_dump(session_start());
-var_dump(!empty(session_id()), session_id());
-var_dump(session_destroy());
-
-
-echo "Done";
-ob_end_flush();
-?>
---EXPECTF--
-*** Testing session.hash_function : basic functionality ***
-string(1) "0"
-bool(true)
-bool(true)
-string(32) "%s"
-bool(true)
-string(3) "md5"
-bool(true)
-bool(true)
-string(40) "%s"
-bool(true)
-
-Warning: ini_set(): session.configuration 'session.hash_function' must be existing hash function. none does not exist. in %s%esession_hash_function_basic.php on line 17
-bool(false)
-bool(true)
-bool(true)
-string(40) "%s"
-bool(true)
-Done
diff --git a/ext/session/tests/session_id_basic2.phpt b/ext/session/tests/session_id_basic2.phpt
new file mode 100644
index 0000000..4421a53
--- /dev/null
+++ b/ext/session/tests/session_id_basic2.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Test session_id() function : basic functionality
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+ob_start();
+
+/*
+ * Prototype : string session_id([string $id])
+ * Description : Get and/or set the current session id
+ * Source code : ext/session/session.c
+ */
+
+echo "*** Testing session_id() : basic functionality ***\n";
+
+ini_set('session.sid_bits_per_chracter', 6);
+ini_set('session.sid_length', 240);
+session_start();
+var_dump(session_id());
+session_commit();
+
+ini_set('session.sid_bits_per_chracter', 4);
+ini_set('session.sid_length', 22);
+session_start();
+session_regenerate_id();
+var_dump(session_id());
+session_commit();
+
+echo "Done";
+?>
+--EXPECTF--
+*** Testing session_id() : basic functionality ***
+string(240) "%s"
+string(22) "%s"
+Done
+
diff --git a/ext/session/tests/session_id_error4.phpt b/ext/session/tests/session_id_error4.phpt
deleted file mode 100644
index 6c1fdbc..0000000
--- a/ext/session/tests/session_id_error4.phpt
+++ /dev/null
@@ -1,37 +0,0 @@
---TEST--
-Test session_id() function : error functionality
---SKIPIF--
-<?php include('skipif.inc'); ?>
---INI--
-session.hash_function=0
-session.hash_bits_per_character=4
---FILE--
-<?php
-
-ob_start();
-
-/*
- * Prototype : string session_id([string $id])
- * Description : Get and/or set the current session id
- * Source code : ext/session/session.c
- */
-
-echo "*** Testing session_id() : error functionality ***\n";
-
-var_dump(ini_set("session.hash_function", -1));
-var_dump(session_id());
-var_dump(session_start());
-var_dump(session_id());
-var_dump(session_destroy());
-
-echo "Done";
-ob_end_flush();
-?>
---EXPECTF--
-*** Testing session_id() : error functionality ***
-string(1) "0"
-string(0) ""
-bool(true)
-string(40) "%s"
-bool(true)
-Done
diff --git a/ext/session/tests/session_id_variation1.phpt b/ext/session/tests/session_id_variation1.phpt
deleted file mode 100644
index 983ca29..0000000
--- a/ext/session/tests/session_id_variation1.phpt
+++ /dev/null
@@ -1,48 +0,0 @@
---TEST--
-Test session_id() function : variation
---SKIPIF--
-<?php include('skipif.inc'); ?>
---INI--
-session.hash_function=0
---FILE--
-<?php
-
-ob_start();
-
-/*
- * Prototype : string session_id([string $id])
- * Description : Get and/or set the current session id
- * Source code : ext/session/session.c
- */
-
-echo "*** Testing session_id() : variation ***\n";
-
-var_dump(ini_set("session.hash_function", 0));
-var_dump(session_id());
-var_dump(session_start());
-var_dump(session_id());
-var_dump(session_destroy());
-
-var_dump(ini_set("session.hash_function", 1));
-var_dump(session_id());
-var_dump(session_start());
-var_dump(session_id());
-var_dump(session_destroy());
-
-echo "Done";
-ob_end_flush();
-?>
---EXPECTF--
-*** Testing session_id() : variation ***
-string(1) "0"
-string(0) ""
-bool(true)
-string(%d) "%s"
-bool(true)
-string(1) "0"
-string(0) ""
-bool(true)
-string(%d) "%s"
-bool(true)
-Done
-
diff --git a/ext/session/tests/session_id_variation2.phpt b/ext/session/tests/session_id_variation2.phpt
deleted file mode 100644
index f69aa44..0000000
--- a/ext/session/tests/session_id_variation2.phpt
+++ /dev/null
@@ -1,61 +0,0 @@
---TEST--
-Test session_id() function : variation
---SKIPIF--
-<?php include('skipif.inc'); ?>
---INI--
-session.hash_function=0
-session.entropy_file=
-session.entropy_length=0
---FILE--
-<?php
-
-ob_start();
-
-/*
- * Prototype : string session_id([string $id])
- * Description : Get and/or set the current session id
- * Source code : ext/session/session.c
- */
-
-echo "*** Testing session_id() : variation ***\n";
-
-$directory = dirname(__FILE__);
-$filename = ($directory."/entropy.txt");
-var_dump(ini_set("session.entropy_file", $filename));
-var_dump(file_put_contents($filename, "Hello World!"));
-var_dump(ini_set("session.entropy_length", filesize($filename)));
-
-var_dump(ini_set("session.hash_function", 0));
-var_dump(session_id());
-var_dump(session_start());
-var_dump(session_id());
-var_dump(session_destroy());
-
-var_dump(ini_set("session.hash_function", 1));
-var_dump(session_id());
-var_dump(session_start());
-var_dump(session_id());
-var_dump(session_destroy());
-var_dump(unlink($filename));
-
-echo "Done";
-ob_end_flush();
-?>
---EXPECTF--
-*** Testing session_id() : variation ***
-string(0) ""
-int(12)
-string(1) "0"
-string(1) "0"
-string(0) ""
-bool(true)
-string(%d) "%s"
-bool(true)
-string(1) "0"
-string(0) ""
-bool(true)
-string(%d) "%s"
-bool(true)
-bool(true)
-Done
-
diff --git a/ext/session/tests/session_set_save_handler_variation6.phpt b/ext/session/tests/session_set_save_handler_variation6.phpt
index 8d53637..357e606 100644
--- a/ext/session/tests/session_set_save_handler_variation6.phpt
+++ b/ext/session/tests/session_set_save_handler_variation6.phpt
@@ -1,6 +1,7 @@
--TEST--
Test session_set_save_handler() function : test lazy_write
--INI--
+session.use_strict_mode=0
session.lazy_write=1
session.save_path=
session.name=PHPSESSID
diff --git a/php.ini-development b/php.ini-development
index b39689f..d0a1c5a 100644
--- a/php.ini-development
+++ b/php.ini-development
@@ -143,7 +143,7 @@
; Development Value: 1000
; Production Value: 1000
-; session.hash_bits_per_character
+; session.sid_bits_per_character
; Default Value: 4
; Development Value: 5
; Production Value: 5
@@ -1403,19 +1403,6 @@ session.gc_maxlifetime = 1440
; http://php.net/session.referer-check
session.referer_check =
-; How many bytes to read from the file.
-; http://php.net/session.entropy-length
-;session.entropy_length = 32
-
-; Specified here to create the session id.
-; http://php.net/session.entropy-file
-; Defaults to /dev/urandom
-; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom
-; If neither are found at compile time, the default is no entropy file.
-; On windows, setting the entropy_length setting will activate the
-; Windows random source (using the CryptoAPI)
-;session.entropy_file = /dev/urandom
-
; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
; http://php.net/session.cache-limiter
@@ -1437,15 +1424,11 @@ session.cache_expire = 180
; http://php.net/session.use-trans-sid
session.use_trans_sid = 0
-; Select a hash function for use in generating session ids.
-; Possible Values
-; 0 (MD5 128 bits)
-; 1 (SHA-1 160 bits)
-; This option may also be set to the name of any hash function supported by
-; the hash extension. A list of available hashes is returned by the hash_algos()
-; function.
-; http://php.net/session.hash-function
-session.hash_function = 0
+; Set session ID charactor length. This value could be between 22 to 256.
+; Shorter length than default is supported only for compatibility reason.
+; Users must use 32 or more chars.
+; http://php.net/session.sid_length
+;session.sid_length = 32
; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
@@ -1457,7 +1440,7 @@ session.hash_function = 0
; Development Value: 5
; Production Value: 5
; http://php.net/session.hash-bits-per-character
-session.hash_bits_per_character = 5
+session.sid_bits_per_character = 5
; The URL rewriter will look for URLs in a defined set of HTML tags.
; form/fieldset are special; if you include them here, the rewriter will
diff --git a/php.ini-production b/php.ini-production
index 3c07f75..10218d5 100644
--- a/php.ini-production
+++ b/php.ini-production
@@ -143,7 +143,7 @@
; Development Value: 1000
; Production Value: 1000
-; session.hash_bits_per_character
+; session.sid_bits_per_character
; Default Value: 4
; Development Value: 5
; Production Value: 5
@@ -1403,19 +1403,6 @@ session.gc_maxlifetime = 1440
; http://php.net/session.referer-check
session.referer_check =
-; How many bytes to read from the file.
-; http://php.net/session.entropy-length
-;session.entropy_length = 32
-
-; Specified here to create the session id.
-; http://php.net/session.entropy-file
-; Defaults to /dev/urandom
-; On systems that don't have /dev/urandom but do have /dev/arandom, this will default to /dev/arandom
-; If neither are found at compile time, the default is no entropy file.
-; On windows, setting the entropy_length setting will activate the
-; Windows random source (using the CryptoAPI)
-;session.entropy_file = /dev/urandom
-
; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
; http://php.net/session.cache-limiter
@@ -1437,15 +1424,11 @@ session.cache_expire = 180
; http://php.net/session.use-trans-sid
session.use_trans_sid = 0
-; Select a hash function for use in generating session ids.
-; Possible Values
-; 0 (MD5 128 bits)
-; 1 (SHA-1 160 bits)
-; This option may also be set to the name of any hash function supported by
-; the hash extension. A list of available hashes is returned by the hash_algos()
-; function.
-; http://php.net/session.hash-function
-session.hash_function = 0
+; Set session ID charactor length. This value could be between 22 to 256.
+; Shorter length than default is supported only for compatibility reason.
+; Users must use 32 or more chars.
+; http://php.net/session.sid_length
+;session.sid_length = 32
; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
@@ -1457,7 +1440,7 @@ session.hash_function = 0
; Development Value: 5
; Production Value: 5
; http://php.net/session.hash-bits-per-character
-session.hash_bits_per_character = 5
+session.sid_bits_per_character = 5
; The URL rewriter will look for URLs in a defined set of HTML tags.
; form/fieldset are special; if you include them here, the rewriter will
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment