php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #65315 session.hash_function silently fallback to default md5
Submitted: 2013-07-23 13:57 UTC Modified: 2013-08-09 09:07 UTC
Votes:8
Avg. Score:4.8 ± 0.7
Reproduced:3 of 6 (50.0%)
Same Version:2 (66.7%)
Same OS:2 (66.7%)
From: nbari at dalmp dot com Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 5.4.17 OS: any
Private report: No CVE-ID: None
View Developer Edit
 [2013-07-23 13:57 UTC] nbari at dalmp dot com 
Description:
------------
session.hash_function not working when having the session and hash extension 
compiled out of the core.


ini_set('session.hash_function', 'sha256') returns a session with md5 hash not 
sha256


To fix this, php must be compiled using: --enable-hash and --enable-session
                                                                                                                                                                                                                                                                                                                                                                                                  
 

Test script:
---------------
<?php

ini_set('session.hash_function', 'sha256');
ini_set('session.hash_bits_per_character', 5);
session_start();
var_dump(session_id());

Expected result:
----------------
string(52) "qcpidhu1jabq225probhkmegnehkrp3fetpdvflumpfbdvo7gis0"

a session hashed with the specified algorithm, in this case 'sha256'


Actual result:
--------------
string(26) "h5rbp62tghln79n92cqicjmce5"

a session hashed with the md5 algo

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-26 00:27 UTC] yohgaki@php.net
-Type: Bug +Type: Documentation Problem
 [2013-07-26 00:27 UTC] yohgaki@php.net 
This is expected (designed) behavior.

If there isn't a hash function, session module fallback to default hash function 
which is MD5 currently.

I'm not sure if this documented, so I left this as documentation problem.
 [2013-07-26 09:42 UTC] nbari at dalmp dot com 
And what about to check if there is a 'hash' function in the extensions before 
using the defaults ?

otherwise users are force to compile in the core the hash extension.
 [2013-07-28 22:33 UTC] yohgaki@php.net 
> And what about to check if there is a 'hash' function in the extensions before 
using the defaults ?
> otherwise users are force to compile in the core the hash extension.

It does check before using hash function existence, therefore session module 
fallback to the default(MD5). 

Hash extension is enabled as default module like session module. I would suggest 
leave it as default. Otherwise, use md5 or sha1 or specify hash function at run 
time. (i.e. use ini_set())

It may be good raise E_WARNING error when session module fallback to default. 
I'll consider this.
 [2013-07-28 22:38 UTC] yohgaki@php.net
-Summary: session.hash_function always using md5 +Summary: session.hash_function silently fallback to default md5 -Status: Open +Status: Assigned -Type: Documentation Problem +Type: Bug -Operating System: FreeBSD +Operating System: any -Assigned To: +Assigned To: yohgaki
 [2013-08-09 09:05 UTC] yohgaki@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b6b425d2cf767e47e9d05fbfe1328f1485a488ef
Log: Fixed Bug #65315 session.hash_function silently fallback to default md5
 [2013-08-09 09:05 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 [2013-08-09 09:07 UTC] yohgaki@php.net 
Fix is committed only to master. You'll see the fix in Next PHP.
 [2013-11-17 09:30 UTC] laruence@php.net 
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b6b425d2cf767e47e9d05fbfe1328f1485a488ef
Log: Fixed Bug #65315 session.hash_function silently fallback to default md5
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Oct 29 10:00:01 2025 UTC