|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #73180 session_id() should be able to set new session ID always
Submitted: 2016-09-27 08:50 UTC Modified: 2018-12-08 01:21 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: Assigned: yohgaki (profile)
Status: Assigned Package: Session related
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
New email:
PHP Version: OS:


 [2016-09-27 08:50 UTC]
session_id() cannot set new session ID unless session.use_strict_mode=Off. session_id() should be able to set new session ID regardless of session.use_strict_mode.

Test script:

Expected result:
string(16) "aaaaaaaaaaaaaaaa"

Actual result:
string(26) "qr2dhbblded4d63im663l6o8g0"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-27 08:50 UTC]
-Assigned To: +Assigned To: yohgaki
 [2016-09-27 08:54 UTC]
-Summary: Irrelevant +Summary: session_id() should be able to set new session ID always
 [2018-11-23 04:53 UTC] krozinov at gmail dot com
I am seeing the same issue on Ubuntu 16.04 with:

PHP (cli) (built: Nov 12 2018 09:55:12) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache, Copyright (c) 1999-2018, by Zend Technologies
 [2018-12-08 01:00 UTC]
Strict mode responsibility is "Making sure to provide _secure_ session ID that is generated by session module."

I understand there are usages for "Fixed session ID". However, code like this


is serious security threat. So perhaps, flag for "insecure session id"?

session_id($new_id [bool $use_possibly_insecure_user_suppiled_id = FALSE]);
e.g. session_id('insecure_id_but_i_want_it', true);
 [2018-12-08 01:10 UTC]
I would like to implement session ID management best practice with timestamp management in the future. i.e. Force to expire session and disallow attackers to exploit stolen session ID forever.

Allowing "fixed session ID" make things complicated. I'm not sure if "allowing fixed session ID" is good one.
 [2018-12-08 01:21 UTC]
If you would like to use "fixed session ID" with current implementation, you may implement your own save handler with special create_id() function.

$GLOBALS['use_insecure_fixed_sessino_id'] = 'some random but fixed session ID';
// session id creation save handler function. Register this as save handler function.
function create_id($id = NULL) {
  if (!empty($GLOBALS['use_insecure_fixed_sessino_id'])) {
     return $GLOBALS['use_insecure_fixed_sessino_id'];
  return bin2hex(random_bytes(32));

This way, you can keep using "Fixed session ID" even with timestamp managed session.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Feb 26 09:01:26 2024 UTC