PHP :: Request #73180 :: session_id() should be able to set new session ID always

session_id() should be able to set new session ID always

Submitted:

2016-09-27 08:50 UTC

Modified:

2018-12-08 01:21 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

yohgaki@php.net

Assigned:

yohgaki (profile)

Status:

Assigned

Package:

Session related

PHP Version:

Irrelevant

OS:

Irrelevant

Private report:

CVE-ID:

None

View Developer Edit

[2016-09-27 08:50 UTC] yohgaki@php.net

Description:
------------
session_id() cannot set new session ID unless session.use_strict_mode=Off. session_id() should be able to set new session ID regardless of session.use_strict_mode.


Test script:
---------------
<?php
session_id('aaaaaaaaaaaaaaaa');
session_start();
var_dump(session_id());
?>

Expected result:
----------------
string(16) "aaaaaaaaaaaaaaaa"


Actual result:
--------------
string(26) "qr2dhbblded4d63im663l6o8g0"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-27 08:50 UTC] yohgaki@php.net

-Assigned To: +Assigned To: yohgaki

[2016-09-27 08:54 UTC] yohgaki@php.net

-Summary: Irrelevant +Summary: session_id() should be able to set new session ID always

[2018-11-23 04:53 UTC] krozinov at gmail dot com

I am seeing the same issue on Ubuntu 16.04 with:

PHP 7.2.12-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Nov 12 2018 09:55:12) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.12-1+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies

[2018-12-08 01:00 UTC] yohgaki@php.net

Strict mode responsibility is "Making sure to provide _secure_ session ID that is generated by session module."

I understand there are usages for "Fixed session ID". However, code like this

session_id('aaaaaaaaaaaaaaaa');

is serious security threat. So perhaps, flag for "insecure session id"?

session_id($new_id [bool $use_possibly_insecure_user_suppiled_id = FALSE]);
e.g. session_id('insecure_id_but_i_want_it', true);

[2018-12-08 01:10 UTC] yohgaki@php.net

I would like to implement session ID management best practice with timestamp management in the future. i.e. Force to expire session and disallow attackers to exploit stolen session ID forever.
https://wiki.php.net/rfc/precise_session_management

Allowing "fixed session ID" make things complicated. I'm not sure if "allowing fixed session ID" is good one.

[2018-12-08 01:21 UTC] yohgaki@php.net

If you would like to use "fixed session ID" with current implementation, you may implement your own save handler with special create_id() function.

e.g.
$GLOBALS['use_insecure_fixed_sessino_id'] = 'some random but fixed session ID';
// session id creation save handler function. Register this as save handler function.
function create_id($id = NULL) {
  if (!empty($GLOBALS['use_insecure_fixed_sessino_id'])) {
     return $GLOBALS['use_insecure_fixed_sessino_id'];
  }
  return bin2hex(random_bytes(32));
}

This way, you can keep using "Fixed session ID" even with timestamp managed session.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 13:01:29 2024 UTC