php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71186 session.hash_function - algorithm changes
Submitted: 2015-12-21 20:16 UTC Modified: 2016-01-31 04:22 UTC
From: akauffman at ne4u dot com Assigned: yohgaki (profile)
Status: No Feedback Package: Session related
PHP Version: 7.0.1 OS: Ubuntu 14.04 LTS
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: akauffman at ne4u dot com
New email:
PHP Version: OS:

 

 [2015-12-21 20:16 UTC] akauffman at ne4u dot com
Description:
------------
Setting session.hash_function via php.ini does not remain consistent, it goes back to default algorithm after session_regenerate_id().  You must use ini_set in the script for the hashing algorithm to remain consistent.


BTW - This bug seems to have been reintroduced.

Test script:
---------------
<?php
//ini_set('session.hash_function','sha512');
session_start();
$orig = session_id();
session_regenerate_id();
$new = session_id();
echo("$orig <br> $new");
?>

Expected result:
----------------
Hashing algorithm remains sha512.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-22 06:01 UTC] yohgaki@php.net
-Operating System: Ubuntu 14.04 LTS +Operating System: any -Assigned To: +Assigned To: yohgaki
 [2015-12-22 06:01 UTC] yohgaki@php.net
https://3v4l.org/hkZM7

It seems something wrong in hash function setting.
 [2015-12-22 07:22 UTC] yohgaki@php.net
-Status: Assigned +Status: Feedback
 [2015-12-22 07:22 UTC] yohgaki@php.net
3v4l does not support/allow to change session.use_strict_mode=1

https://3v4l.org/KD6I3

I cannot reproduce problem. Try this phpt file and see if you have problem.
You can run single test as follows from PHP source root.

./run-tests.php ext/session/tests/bug71186.phpt


===== test file - save this code as "ext/session/tests/bug71186.phpt" =====

--TEST--
Bug #71186 session.hash_function - algorithm changes
--SKIPIF--
<?php include('skipif.inc'); ?>
--INI--
session.hash_function=sha512
session.save_handler=files
--FILE--
<?php
ob_start();
ini_set('session.use_strict_mode', 1);

session_start();
$orig = session_id();
session_regenerate_id();
$new = session_id();
var_dump(strlen($orig),strlen($new));
session_commit();

ini_set('session.hash_function','sha1');
session_id('invalid');
session_start();
$orig = session_id();
session_regenerate_id();
$new = session_id();
var_dump(strlen($orig),strlen($new));
?>
--EXPECT--
int(128)
int(128)
int(40)
int(40)
 [2015-12-22 07:24 UTC] yohgaki@php.net
Something wrong in bug system. Please disregard the last comment.
 [2015-12-22 15:50 UTC] akauffman at ne4u dot com
-Status: Feedback +Status: Assigned
 [2015-12-22 15:50 UTC] akauffman at ne4u dot com
I had to add this to the test script:
session.save_path=/tmp



./run-tests.php -v ext/session/tests/bug71186.phpt 

=====================================================================
PHP         : /usr/local/bin/php 
PHP_SAPI    : cli
PHP_VERSION : 7.0.1
ZEND_VERSION: 3.0.0
PHP_OS      : Linux - Linux waf1 3.19.0-41-generic #46~14.04.2-Ubuntu SMP Tue Dec 8 17:46:10 UTC 2015 x86_64
INI actual  : /usr/local/php7/lib/php.ini
More .INIs  : /usr/local/php7/etc/conf.d/modules.ini  
CWD         : /root/php-7-debian/php-src
Extra dirs  : 
VALGRIND    : Not used
=====================================================================
Running selected tests.

=================
TEST /root/php-7-debian/php-src/ext/session/tests/bug71186.phpt
TEST 1/1 [ext/session/tests/bug71186.phpt]
CONTENT_LENGTH  = 
CONTENT_TYPE    = 
PATH_TRANSLATED = /root/php-7-debian/php-src/ext/session/tests/bug71186.php
QUERY_STRING    = 
REDIRECT_STATUS = 1
REQUEST_METHOD  = GET
SCRIPT_FILENAME = /root/php-7-debian/php-src/ext/session/tests/bug71186.php
HTTP_COOKIE     = 
COMMAND /usr/local/bin/php   -d "output_handler=" -d "open_basedir=" -d "safe_mode=0" -d "disable_functions=" -d "output_buffering=Off" -d "error_reporting=32767" -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d "html_errors=0" -d "track_errors=1" -d "report_memleaks=1" -d "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d "memory_limit=128M" -d "log_errors_max_len=0" -d "opcache.fast_shutdown=0" -d "opcache.file_update_protection=0" -d "session.auto_start=0" -d "zlib.output_compression=Off" -d "mbstring.func_overload=0" -d "session.hash_function=sha512" -d "session.save_path=/tmp" -d "session.save_handler=files" -f "/root/php-7-debian/php-src/ext/session/tests/bug71186.php"  2>&1
FAIL Bug #71186 session.hash_function - algorithm changes [ext/session/tests/bug71186.phpt] 
=====================================================================
Number of tests :    1                 1
Tests skipped   :    0 (  0.0%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :    1 (100.0%) (100.0%)
Expected fail   :    0 (  0.0%) (  0.0%)
Tests passed    :    0 (  0.0%) (  0.0%)
---------------------------------------------------------------------
Time taken      :    0 seconds
=====================================================================

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #71186 session.hash_function - algorithm changes [ext/session/tests/bug71186.phpt]
=====================================================================
 [2015-12-29 22:31 UTC] yohgaki@php.net
-Status: Assigned +Status: Feedback
 [2015-12-29 22:31 UTC] yohgaki@php.net
Could you paste the content of 
ext/session/tests/bug71186.log

Your system uses this INI file
INI actual  : /usr/local/php7/lib/php.ini
Could you pate the session section of this INI?
 [2016-01-10 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2016-01-10 07:24 UTC] yohgaki@php.net
-Status: No Feedback +Status: Feedback
 [2016-01-11 15:56 UTC] akauffman at ne4u dot com
-Status: Feedback +Status: Assigned -Operating System: any +Operating System: Ubuntu 14.04 LTS
 [2016-01-11 15:56 UTC] akauffman at ne4u dot com
cat bug71186.log 

---- EXPECTED OUTPUT
int(128)
int(128)
int(40)
int(40)
---- ACTUAL OUTPUT
int(103)
int(103)
int(32)
int(32)
---- FAILED
 [2016-01-11 16:07 UTC] akauffman at ne4u dot com
grep -i ^session\. /usr/local/php7/lib/php.ini

session.save_handler = memcached
session.save_path = 'xxx.xxx.xxx.xx1:11211,xxx.xxx.xxx.xx2:11211'
session.use_strict_mode = 0
session.use_cookies = 1
session.use_only_cookies = 1
session.name = ZEBRA
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php 
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.referer_check =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = sha512
session.hash_bits_per_character = 5
session.upload_progress.name = "ZEBRA_SESSION_UPLOAD_PROGRESS"
 [2016-01-17 07:58 UTC] yohgaki@php.net
-Status: Assigned +Status: Feedback
 [2016-01-17 07:58 UTC] yohgaki@php.net
The reason why the test fails is

session.hash_bits_per_character = 5

If you change this to

session.hash_bits_per_character = 4

or set this value in the phpt, then it would pass.
According to the test result, it seems it's working as expected. 

I guess you are experiencing this in web environment. Could you execute php script part of the phpt and check the output? What is your Server API? (see phpinfo() output for used Server API)
 [2016-01-31 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 12:01:27 2024 UTC