Description:
------------
I'm using OCI8 1.2.1. I want to use persistent connections, but I found security issue. In my case, each user log on to Oracle by own account (own username, password).

Proper user can log on correctly, but during his work with DB can other user reuse his persistent connection. Attacker can know only username but no password.

Also when proper user log out, this destroy only persistent connection in actual webserver/php child process. The other connections in the other childs processes are still active and therefore they can be reused by attacker (until connection reachs timeout).

I think, that problem is in HASHing (making unique ID) connection. I found in your source code (oci8.c:980) this:

smart_str_appendl_ex(&hashed_details, "oci8___", sizeof("oci8___") - 1, 0);
smart_str_appendl_ex(&hashed_details, username, username_len, 0);
smart_str_appendl_ex(&hashed_details, "__", sizeof("__") - 1, 0);
if (dbname) {
	smart_str_appendl_ex(&hashed_details, dbname, dbname_len, 0);
}
smart_str_appendl_ex(&hashed_details, "__", sizeof("__") - 1, 0);

It seems, that you hash connections only by username and DBname (if defined). But there's no password.

Reproduce code:
---------------
Call OciPConnProper.php:
<?php
 $conn = oci_pconnect('username', 'password', 'dbname');
 var_dump($conn);
?>

Then call OciPConnAttack.php:
<?php
 $conn = oci_pconnect('username', '..anything..', 'dbname');
 var_dump($conn);
?>

Expected result:
----------------
Result of OciPConnProper.php:
 resource(1) of type (oci8 persistent connection)

Result of OciPConnAttack.php:
 bool(false)

Actual result:
--------------
Result of OciPConnProper.php:
 resource(1) of type (oci8 persistent connection)

Result of OciPConnAttack.php:
 resource(1) of type (oci8 persistent connection)

Note: This become only in situation, when both requests come to the same child webserver/php process. Therefore you may need to repeat calling scripts more times to reproduce this one.