php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55787 session_id() - Limits on amount session_regenerate_id() can be used with sha512
Submitted: 2011-09-26 18:29 UTC Modified: 2011-10-03 15:09 UTC
From: jason dot gerfen at gmail dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 5.3.8 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jason dot gerfen at gmail dot com
New email:
PHP Version: OS:

 

 [2011-09-26 18:29 UTC] jason dot gerfen at gmail dot com 
Description:
------------
I am not sure if this is a bug or a feature in terms of limits due to a test case exceeding internal limits.

Scenario #1.
Using session_regenerate_id() over 39 times results in the following errors:
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent

Scenario #2.
Using session_regenerate_id() over 19 times results in the following errors:
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent; when the following parameters are modified:
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");
ini_set("session.hash_function", "sha512");


Test script:
---------------
session_start();

function _regenIDdef($old){
 session_regenerate_id(true);
 $_SESSION = $old;
}

function _prettyPrint($id, $i){
 echo sprintf('Iteration: %d : ID: %s => Length: %d<br/>', $i, $id, strlen((string)$id));
}

function _collide($array){
 $x=0;
 foreach($array as $k => $v){
  if (count(in_array($v, $array))>1){
   $x = $x++;
   echo sprintf('Collision found at %d session id %s<br/>', $k, $v);
  }
 }
 echo sprintf('Total collisions found %d<br/>', $x);
}

function _loop($id, $int){
 $a = array();
 for($i=0; $i<$int; $i++){
  _regenIDdef($id);
  _prettyPrint(session_id(), $i);
  $a[$i]=session_id();
 }
 _collide($a);
}

echo '<b>Testing with PHP defaults</b><br/>';
_loop(session_id(), 40, 'a');

echo '<b>Testing with /dev/urandom & entropy 32</b><br/>';
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");
ini_set("session.hash_function", "sha512");
_loop(session_id(), 20, 'a');

?>

Expected result:
----------------
No errors returning about not being able to regenerate a new session_id

Actual result:
--------------
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-09-29 10:59 UTC] matty at mattyasia dot com 
This is a coding problem, not a bug. Perhaps an omission in the documentation though.

You can not use this function after you have sent any data to the browser.

So your problem here is that you have used "echo" before calling "session_regenerate_id()", causing this error.

echo '<b>Testing with PHP defaults</b><br/>';
_loop(session_id(), 40, 'a');
 [2011-09-29 14:10 UTC] jason dot gerfen at gmail dot com 
I am familiar with the error and the thing that I find the strangest is that the use of echo on a session variable would prevent the second echo statement by producing errors.

Here in every instance any warnings and/or errors regarding the headers sent occurs at iteration 39 (default md5() session_id()) or iteration 19 (using sha512() session_id()).

I suppose the use of the @session_id() should be used while testing entropy of custom session_id()'s vs. the internal session.entropy_file, session.entropy_length and session.hash_function options?
 [2011-10-03 15:09 UTC] iliaa@php.net
-Status: Open +Status: Bogus
 [2011-10-03 15:09 UTC] iliaa@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Oct 25 17:00:01 2025 UTC