php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #67798 Handling possible collisions of session ID
Submitted: 2014-08-06 14:34 UTC Modified: 2014-12-30 09:04 UTC
From: jan dot kahoun at heureka dot cz Assigned:
Status: Not a bug Package: Session related
PHP Version: Irrelevant OS: irrelevant
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: jan dot kahoun at heureka dot cz
New email:
PHP Version: OS:

 

 [2014-08-06 14:34 UTC] jan dot kahoun at heureka dot cz 
Description:
------------
Hi,

we are using MySQL for storing sessions of logged-in users and we've 
encountered a problem with few duplicated sessions ID when inserting new one 
during last year. We've looked into PHP source code where we found a possible 
bug.

Currently we are using PHP 5.4.29, so we investigated source code for this 
version at first (file ext/session/session.c, function 
php_session_initialize). We've found out that after the new session ID is 
created, it is not checked if it exists in session storage. Then this new 
session ID is used to read data from session storage. This could lead to 
reading data of another user if duplicated session ID was generated.

The possibility of ID collision is small, but could happen and for our case 
already happened. We currently have ~500k active sessions with ~30k new 
sessions per day.

Also we looked into source code of PHP 5.5.15. The problem persists int this 
version too. But now there is possible workaround. SessionHandler and 
SessionHandlerInterface have a new method for creating own session ID, but it 
is not mentioned in documentation. This method was not build to handle this 
problem, but can be used for it.

Possible solution:
Create method in PHP like "testAndCreate" in SessionHandler and 
SessionHandlerInterface which should check if session ID exists in session 
storage and if not create it. Depending on the result PHP should generate new 
ID or continue. Also mention this in documentation.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-09-02 09:06 UTC] jan dot kahoun at heureka dot cz 
Could anyone look at this issue, please?
 [2014-12-30 09:04 UTC] stas@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Feature/Change Request
 [2014-12-30 09:04 UTC] stas@php.net 
As you mentioned, you can use SessionHandler::create_sid for this.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun May 05 23:01:30 2024 UTC