PHP :: Bug #55787 :: session_id() - Limits on amount session_regenerate

Bug #55787	session_id() - Limits on amount session_regenerate_id() can be used with sha512
Submitted:	2011-09-26 18:29 UTC	Modified:	2011-10-03 15:09 UTC
From:	jason dot gerfen at gmail dot com	Assigned:
Status:	Not a bug	Package:	Session related
PHP Version:	5.3.8	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	jason dot gerfen at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2011-09-26 18:29 UTC] jason dot gerfen at gmail dot com

Description:
------------
I am not sure if this is a bug or a feature in terms of limits due to a test case exceeding internal limits.

Scenario #1.
Using session_regenerate_id() over 39 times results in the following errors:
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent

Scenario #2.
Using session_regenerate_id() over 19 times results in the following errors:
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent; when the following parameters are modified:
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");
ini_set("session.hash_function", "sha512");


Test script:
---------------
session_start();

function _regenIDdef($old){
 session_regenerate_id(true);
 $_SESSION = $old;
}

function _prettyPrint($id, $i){
 echo sprintf('Iteration: %d : ID: %s => Length: %d<br/>', $i, $id, strlen((string)$id));
}

function _collide($array){
 $x=0;
 foreach($array as $k => $v){
  if (count(in_array($v, $array))>1){
   $x = $x++;
   echo sprintf('Collision found at %d session id %s<br/>', $k, $v);
  }
 }
 echo sprintf('Total collisions found %d<br/>', $x);
}

function _loop($id, $int){
 $a = array();
 for($i=0; $i<$int; $i++){
  _regenIDdef($id);
  _prettyPrint(session_id(), $i);
  $a[$i]=session_id();
 }
 _collide($a);
}

echo '<b>Testing with PHP defaults</b><br/>';
_loop(session_id(), 40, 'a');

echo '<b>Testing with /dev/urandom & entropy 32</b><br/>';
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");
ini_set("session.hash_function", "sha512");
_loop(session_id(), 20, 'a');

?>

Expected result:
----------------
No errors returning about not being able to regenerate a new session_id

Actual result:
--------------
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-09-29 10:59 UTC] matty at mattyasia dot com

This is a coding problem, not a bug. Perhaps an omission in the documentation though.

You can not use this function after you have sent any data to the browser.

So your problem here is that you have used "echo" before calling "session_regenerate_id()", causing this error.

echo '<b>Testing with PHP defaults</b><br/>';
_loop(session_id(), 40, 'a');

[2011-09-29 14:10 UTC] jason dot gerfen at gmail dot com

I am familiar with the error and the thing that I find the strangest is that the use of echo on a session variable would prevent the second echo statement by producing errors.

Here in every instance any warnings and/or errors regarding the headers sent occurs at iteration 39 (default md5() session_id()) or iteration 19 (using sha512() session_id()).

I suppose the use of the @session_id() should be used while testing entropy of custom session_id()'s vs. the internal session.entropy_file, session.entropy_length and session.hash_function options?

[2011-10-03 15:09 UTC] iliaa@php.net

-Status: Open +Status: Bogus

[2011-10-03 15:09 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun May 26 12:01:29 2024 UTC