php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #73180 session_id() should be able to set new session ID always
Submitted: 2016-09-27 08:50 UTC Modified: 2018-12-08 01:21 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: yohgaki@php.net Assigned: yohgaki (profile)
Status: Assigned Package: Session related
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-09-27 08:50 UTC] yohgaki@php.net
Description:
------------
session_id() cannot set new session ID unless session.use_strict_mode=Off. session_id() should be able to set new session ID regardless of session.use_strict_mode.


Test script:
---------------
<?php
session_id('aaaaaaaaaaaaaaaa');
session_start();
var_dump(session_id());
?>

Expected result:
----------------
string(16) "aaaaaaaaaaaaaaaa"


Actual result:
--------------
string(26) "qr2dhbblded4d63im663l6o8g0"


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-27 08:50 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2016-09-27 08:54 UTC] yohgaki@php.net
-Summary: Irrelevant +Summary: session_id() should be able to set new session ID always
 [2018-11-23 04:53 UTC] krozinov at gmail dot com
I am seeing the same issue on Ubuntu 16.04 with:

PHP 7.2.12-1+ubuntu16.04.1+deb.sury.org+1 (cli) (built: Nov 12 2018 09:55:12) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.12-1+ubuntu16.04.1+deb.sury.org+1, Copyright (c) 1999-2018, by Zend Technologies
 [2018-12-08 01:00 UTC] yohgaki@php.net
Strict mode responsibility is "Making sure to provide _secure_ session ID that is generated by session module."

I understand there are usages for "Fixed session ID". However, code like this

session_id('aaaaaaaaaaaaaaaa');

is serious security threat. So perhaps, flag for "insecure session id"?

session_id($new_id [bool $use_possibly_insecure_user_suppiled_id = FALSE]);
e.g. session_id('insecure_id_but_i_want_it', true);
 [2018-12-08 01:10 UTC] yohgaki@php.net
I would like to implement session ID management best practice with timestamp management in the future. i.e. Force to expire session and disallow attackers to exploit stolen session ID forever.
https://wiki.php.net/rfc/precise_session_management

Allowing "fixed session ID" make things complicated. I'm not sure if "allowing fixed session ID" is good one.
 [2018-12-08 01:21 UTC] yohgaki@php.net
If you would like to use "fixed session ID" with current implementation, you may implement your own save handler with special create_id() function.

e.g.
$GLOBALS['use_insecure_fixed_sessino_id'] = 'some random but fixed session ID';
// session id creation save handler function. Register this as save handler function.
function create_id($id = NULL) {
  if (!empty($GLOBALS['use_insecure_fixed_sessino_id'])) {
     return $GLOBALS['use_insecure_fixed_sessino_id'];
  }
  return bin2hex(random_bytes(32));
}

This way, you can keep using "Fixed session ID" even with timestamp managed session.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Jun 18 22:01:26 2019 UTC