|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2016-08-03 14:09 UTC] spam2 at rhsoft dot net
Description:
------------
> Compatible defaults: session.sid_length=32, session.sid_bits_per_character=4
> (128 bits session ID. No BC break)
that is not true in case of smarter sysadmins which swicthed away from the MD5 default years ago and hence in case the sesstings are present in "php.ini" it should change it's default behavior to *really* be compatible
____________________________
session.entropy_length = 32
session.hash_function = 1
session.hash_bits_per_character = 6
SecRule REQUEST_COOKIES_NAMES|ARGS_NAMES "(^PHPSESSID$|JSESSIONID$|ASPSESSIONID$|ASP\.NET_SessionId$)" "id:'133',phase:2,capture,logdata:'%{TX.0}',block,msg:'Invalid SessionID name not allowed'"
SecRule ARGS_NAMES "(^LOUNGE_ID$|PANEL_ID$)""id:'134',phase:2,capture,logdata:'%{TX.0}',block,msg:'LOUNGE_ID not allowed via GET or POST'"
SecRule REQUEST_COOKIES:LOUNGE_ID|REQUEST_COOKIES:PANEL_ID "!@rx ^[-a-z0-9,]{27}$" "id:'135',phase:2,logdata:'%{matched_var}',t:urlDecodeUni,t:lowercase,block,msg:'Unexpected value for LOUNGE_ID'"
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Jul 09 11:01:34 2025 UTC |
I could be wrong, but anyway SecRule REQUEST_COOKIES_NAMES|ARGS_NAMES "(^PHPSESSID$|JSESSIONID$|ASPSESSIONID$|ASP\.NET_SessionId$)" "id:'133',phase:2,capture,logdata:'%{TX.0}',block,msg:'Invalid SessionID name not allowed'" This seems to be a Cookie name match. Irrelevant as default session name is not changed. SecRule ARGS_NAMES "(^LOUNGE_ID$|PANEL_ID$)""id:'134',phase:2,capture,logdata:'%{TX.0}',block,msg:'LOUNGE_ID not allowed via GET or POST'" This seems nothing to do with PHP session ID. SecRule REQUEST_COOKIES:LOUNGE_ID|REQUEST_COOKIES:PANEL_ID "!@rx ^[-a-z0-9,]{27}$" "id:'135',phase:2,logdata:'%{matched_var}',t:urlDecodeUni,t:lowercase,block,msg:'Unexpected value for LOUNGE_ID'" This seems nothing to do with PHP session ID. What important here is - Session ID length - Chars used by session ID session.sid_lengh = 32 session.sid_bits_per_character = 4 or 5 6 is a little intrusive as it contains non alphanum char. 5 could be BC if something validates session value as hex string. For users using non default sha1 or sha2 hashes, they have to adjust INI by their own anyway. Therefore, there is no BC.While updating php.ini-* files, I realized session.hash_bits_per_char is changed to 5. We have to think about since it seems it has changed in 5.3 at least, may be older. I probably set session.sid_length = 26 in php.ini-*. This should be enough. Anyway. your recommendation, 192 bits session ID (SHA1) with 6 bits per char, session.hash_function = 1 (SHA1 - 192 bits) session.hash_bits_per_character = 6 results in session ID length=32 chars. This wouldn't happen because hash bits per char 6 requires more characters than now. You would need ^[-a-z0-9,]{32}$ rather than ^[-a-z0-9,]{27}$ with this config also. The regex ^[-a-z0-9,]{27}$ works with session.hash_function = 0 (MD5 - 128 bits) session.hash_bits_per_character = 5 (Session ID length became 26 chars) The regex could be reduced to ^[a-v0-9]{26}$ (You don't need extra chars for 5 bits per char) If don't want to bother much, just use something like ^[-a-z0-9,]{48}$ because I will recommend session ID at least 32 chars + 5 bits per char in documents. Anyway, thank you for heads up, missed session ID length is now 26 due to php.ini-*.Oops, use something like ^[-a-z0-9,]{26,48}$ rather than ^[-a-z0-9,]{48}$please RTFM below - since the WAF rule would reject any session id containing other chars and with a length short *or* larger then defined i would know that anyways LOUNGE_ID kjtnTGUmpynqyClOiBGtWLPi6R7 / local.rhsoft.net End Of Session ______________________________________________ Anyway. your recommendation, 192 bits session ID (SHA1) with 6 bits per char, session.hash_function = 1 (SHA1 - 192 bits) session.hash_bits_per_character = 6 results in session ID length=32 chars. This wouldn't happen because hash bits per char 6 requires more characters than now. You would need ^[-a-z0-9,]{32}$ rather than ^[-a-z0-9,]{27}$ with this config also. ______________________________________________ http://php.net/manual/en/session.configuration.php session.hash_function mixed session.hash_function allows you to specify the hash algorithm used to generate the session IDs. '0' means MD5 (128 bits) and '1' means SHA-1 (160 bits). Since PHP 5.3.0 it is also possible to specify any of the algorithms provided by the hash extension (if it is available), like sha512 or whirlpool. A complete list of supported algorithms can be obtained with the hash_algos() function.