php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #73180 session_id() should be able to set new session ID always
Submitted: 2016-09-27 08:50 UTC Modified: 2018-12-08 01:21 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: yohgaki@php.net Assigned: yohgaki (profile)
Status: Assigned Package: Session related
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: yohgaki@php.net
New email:
PHP Version: OS:

 

 [2016-09-27 08:50 UTC] yohgaki@php.net 
Description:
------------
session_id() cannot set new session ID unless session.use_strict_mode=Off. session_id() should be able to set new session ID regardless of session.use_strict_mode.


Test script:
---------------
<?php
session_id('aaaaaaaaaaaaaaaa');
session_start();
var_dump(session_id());
?>

Expected result:
----------------
string(16) "aaaaaaaaaaaaaaaa"


Actual result:
--------------
string(26) "qr2dhbblded4d63im663l6o8g0"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-27 08:50 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2016-09-27 08:54 UTC] yohgaki@php.net
-Summary: Irrelevant +Summary: session_id() should be able to set new session ID always
 [2018-11-23 04:53 UTC] krozinov at gmail dot com 
I am seeing the same issue on Ubuntu 16.04 with:

PHP 7.2.12-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Nov 12 2018 09:55:12) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.12-1+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies
 [2018-12-08 01:00 UTC] yohgaki@php.net 
Strict mode responsibility is "Making sure to provide _secure_ session ID that is generated by session module."

I understand there are usages for "Fixed session ID". However, code like this

session_id('aaaaaaaaaaaaaaaa');

is serious security threat. So perhaps, flag for "insecure session id"?

session_id($new_id [bool $use_possibly_insecure_user_suppiled_id = FALSE]);
e.g. session_id('insecure_id_but_i_want_it', true);
 [2018-12-08 01:10 UTC] yohgaki@php.net 
I would like to implement session ID management best practice with timestamp management in the future. i.e. Force to expire session and disallow attackers to exploit stolen session ID forever.
https://wiki.php.net/rfc/precise_session_management

Allowing "fixed session ID" make things complicated. I'm not sure if "allowing fixed session ID" is good one.
 [2018-12-08 01:21 UTC] yohgaki@php.net 
If you would like to use "fixed session ID" with current implementation, you may implement your own save handler with special create_id() function.

e.g.
$GLOBALS['use_insecure_fixed_sessino_id'] = 'some random but fixed session ID';
// session id creation save handler function. Register this as save handler function.
function create_id($id = NULL) {
  if (!empty($GLOBALS['use_insecure_fixed_sessino_id'])) {
     return $GLOBALS['use_insecure_fixed_sessino_id'];
  }
  return bin2hex(random_bytes(32));
}

This way, you can keep using "Fixed session ID" even with timestamp managed session.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 18:01:29 2024 UTC