php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53789 Setting session.hash_function doesn't change hash function used.
Submitted: 2011-01-19 14:23 UTC Modified: 2011-02-22 16:52 UTC
Votes:9
Avg. Score:4.1 ± 1.0
Reproduced:7 of 8 (87.5%)
Same Version:2 (28.6%)
Same OS:2 (28.6%)
From: richard at blueapex dot co dot uk Assigned:
Status: Wont fix Package: Session related
PHP Version: 5.3.5 OS: Freebsd 8.1
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: richard at blueapex dot co dot uk
New email:
PHP Version: OS:

 

 [2011-01-19 14:23 UTC] richard at blueapex dot co dot uk
Description:
------------
This may be an apache bug, though I'll start with putting it down as php. There is a similar bug: Bug #49469 submitted in 2009 with advice try the latest snapshot, that was version 5.3.0 and I'm using version 5.3.5 so assuming that advice isn't valid and the bug still exists.

Setting session.hash_function variable in php.ini doesn't change the value used to generate the hash function.

I've tried sha512, sha1, whirlpool. All of these don't change the hash delivered to the browser (PHPSESSID) and still the standard md5() hash is used.

All the hash algos tried are on the system when the output of hash_algos() is examined.

Specifying 1 does make the system use SHA1 to generate the session hash.

##############################

Revelant. php.ini

session.save_handler = files
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = On
session.bug_compat_warn = On
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = sha512
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"

Test script:
---------------
session_start()

Expected result:
----------------
sha512 generated PHPSESSID

Actual result:
--------------
md5 generated PHPSESSID

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-01-30 14:07 UTC] datahell at elxis dot org
I face the same problem on PHP 5.2.5 (x64) on my local installation Windows Vista 64bit.
 [2011-02-01 14:39 UTC] iliaa@php.net
-Status: Open +Status: Feedback
 [2011-02-01 14:39 UTC] iliaa@php.net
Do you have the hash extension enabled? Without that extension, hashing algorithms 
other than md5/sha1 will not be available.
 [2011-02-01 15:11 UTC] richard at blueapex dot co dot uk
-Status: Feedback +Status: Open
 [2011-02-01 15:11 UTC] richard at blueapex dot co dot uk
I have the hash extension enabled.

Doing print_r(hash_algos()) gives a fair few hashes. I'm using hash('SHA512', $foo) for encrypting passwords so it defiantly is available to PHP.
 [2011-02-08 21:34 UTC] henno at schooljan dot nl
It does work when compiling in both hash and session modules into the main PHP 
executable (by use of --enable-hash and --enable-session on the configure line).

The FreeBSD Ports strategy is to provide a slim PHP base package with a lot of 
extra modules as extra packages to choose. Fine of course, but apparently the 
has_function option breaks when one of the relevant modules are externally 
loaded.

I found this out because I also run a Gentoo machine where this bug does not 
manifest itself, and there the package strategy is to compile everything into 
one big PHP executable.

So a quick temporary workaround for FreeBSD users is adding both --enable-hash 
and --enable-session in the FreeBSD port Makefile for lang/php5 (and disable the 
external modules to prevent 'already loaded' warnings).





To summarize:

Steps to reproduce:
-------------------
Use either hash or session modules as external loadable module, setting reverts 
to 0 when choosing a hash algo.

Workaround:
-----------
Compile both hash and session modules into the main PHP executable.
 [2011-02-22 16:52 UTC] iliaa@php.net
-Status: Open +Status: Wont fix
 [2011-02-22 16:52 UTC] iliaa@php.net
I think this is one of those situations where hash extension would need to be 
compiled as part of "core php" for this feature to work.
 [2012-01-15 15:34 UTC] henno at schooljan dot nl
This should still be fixed, or at least get documented somewhere.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Nov 27 09:01:28 2024 UTC