PHP :: Doc Bug #75707 :: session.sid_length compatibility note

Doc Bug #75707	session.sid_length compatibility note
Submitted:	2017-12-19 18:10 UTC	Modified:	2018-07-23 14:44 UTC
From:	xavier dot leune at gmail dot com	Assigned:	cmb (profile)
Status:	Not a bug	Package:	Session related
PHP Version:	7.1.12	OS:
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2017-12-19 18:10 UTC] xavier dot leune at gmail dot com

Description:
------------
Hi,

We're actually moving to PHP 7.1 and we are trying to add a PHP 7.1 server to our cluster. So we need to make sure that sessions id will be compatible between PHP5 and PHP 7.1.
I've read the compatibility note on the parameter session.sid_length but actually I'm not sure the value I should use. Here is the note:
Compatibility Note: Use 32 for session.hash_func=0 (MD5) and session.hash_bits_per_character=4, session.hash_func=1 (SHA1) and session.hash_bits_per_character=6. Use 26 for session.hash_func=0 (MD5) and session.hash_bits_per_character=5. Use 22 for session.hash_func=0 (MD5) and session.hash_bits_per_character=6. You must configure INI values to have at least 128 bits in session ID. Do not forget set appropriate value to session.sid_bits_per_character, otherwise you will have weaker session ID.

It appears that some information is contradictory. I was trying to update the doc but I'm not sure of what should be written instead. I think it should have only an example for md5 compatibility and one for sha1 compatibility.

Can you please tell me what values should be used for this 2 use cases and I'll propose a change in the documentation.

Thanks,

Xavier.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-07-23 14:44 UTC] cmb@php.net

-Status: Open +Status: Not a bug -Package: Documentation problem +Package: Session related -Assigned To: +Assigned To: cmb

[2018-07-23 14:44 UTC] cmb@php.net

MD5 hashes consist of 128bits.  The value of session.sid_length
*depends* on the value of session.hash_bits_per_character:

session.hash_bits_per_character=4 => session.sid_length=32
session.hash_bits_per_character=5 => session.sid_length=26
session.hash_bits_per_character=6 => session.sid_length=22

Analogous for SHA1 hashes.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 01:01:28 2024 UTC