Assigned to RFC author.

I could be wrong, but anyway

SecRule REQUEST_COOKIES_NAMES|ARGS_NAMES "(^PHPSESSID$|JSESSIONID$|ASPSESSIONID$|ASP\.NET_SessionId$)" "id:'133',phase:2,capture,logdata:'%{TX.0}',block,msg:'Invalid SessionID name not allowed'"

This seems to be a Cookie name match. Irrelevant as default session name is not changed.

SecRule ARGS_NAMES "(^LOUNGE_ID$|PANEL_ID$)""id:'134',phase:2,capture,logdata:'%{TX.0}',block,msg:'LOUNGE_ID not allowed via GET or POST'"

This seems nothing to do with PHP session ID.

SecRule REQUEST_COOKIES:LOUNGE_ID|REQUEST_COOKIES:PANEL_ID "!@rx ^[-a-z0-9,]{27}$" "id:'135',phase:2,logdata:'%{matched_var}',t:urlDecodeUni,t:lowercase,block,msg:'Unexpected value for LOUNGE_ID'"

This seems nothing to do with PHP session ID.

What important here is
 - Session ID length
 - Chars used by session ID

session.sid_lengh = 32
session.sid_bits_per_character = 4 or 5
6 is a little intrusive as it contains non alphanum char.
5 could be BC if something validates session value as hex string.

For users using non default sha1 or sha2 hashes, they have to adjust INI by their own anyway. Therefore, there is no BC.

I guess you mean

 - session.hash_function=1 (sha1)
 - session.hash_bits_per_chars=6 

yields session ID with length=32 chars.

To achieve the same result, users would set

 - session.sid_length=32
 - session.sid_bits_per_chars=6

I'll document them.

Come on LOUNGE_ID *is* the session ID which becomes obvious when you even comment the line before which forbids the default PHPSESSID and as if you say it's about length and chars - guess what the Regex of the third rule does 

If someone would have changed the silly default from md5 to sha1 many years ago we would just talk about a bc compatible 160 bit default

Yes i mean that settings, hence the are part of my initial report which is about *just read them* to provide a backward compatible behavior instead remove them and introduce new ini settings

While updating php.ini-* files, I realized session.hash_bits_per_char is changed to 5. We have to think about since it seems it has changed in 5.3 at least, may be older. I probably set session.sid_length = 26 in php.ini-*. This should be enough.

Anyway. your recommendation, 192 bits session ID (SHA1) with 6 bits per char, 

session.hash_function = 1 (SHA1 - 192 bits)
session.hash_bits_per_character = 6

results in session ID length=32 chars.
This wouldn't happen because hash bits per char 6 requires more characters than now. You would need  ^[-a-z0-9,]{32}$  rather than  ^[-a-z0-9,]{27}$ with this config also.



The regex ^[-a-z0-9,]{27}$ works with

session.hash_function = 0 (MD5 - 128 bits)
session.hash_bits_per_character = 5
(Session ID length became 26 chars)

The regex could be reduced to

 ^[a-v0-9]{26}$ (You don't need extra chars for 5 bits per char)

If don't want to bother much, just use something like

 ^[-a-z0-9,]{48}$

because I will recommend session ID at least 32 chars + 5 bits per char in documents.

Anyway, thank you for heads up, missed session ID length is now 26 due to php.ini-*.

Oops, use something like

 ^[-a-z0-9,]{26,48}$

rather than

 ^[-a-z0-9,]{48}$

please RTFM below - since the WAF rule would reject any session id containing other chars and with a length short *or* larger then defined i would know that anyways

LOUNGE_ID kjtnTGUmpynqyClOiBGtWLPi6R7 /	local.rhsoft.net End Of Session
______________________________________________

Anyway. your recommendation, 192 bits session ID (SHA1) with 6 bits per char, 

session.hash_function = 1 (SHA1 - 192 bits)
session.hash_bits_per_character = 6

results in session ID length=32 chars.
This wouldn't happen because hash bits per char 6 requires more characters than now. You would need  ^[-a-z0-9,]{32}$  rather than  ^[-a-z0-9,]{27}$ with this config also.
______________________________________________

http://php.net/manual/en/session.configuration.php

session.hash_function mixed
session.hash_function allows you to specify the hash algorithm used to generate the session IDs. '0' means MD5 (128 bits) and '1' means SHA-1 (160 bits).

Since PHP 5.3.0 it is also possible to specify any of the algorithms provided by the hash extension (if it is available), like sha512 or whirlpool. A complete list of supported algorithms can be obtained with the hash_algos() function.