php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77330 session_id() no longer works inside custom SessionHandlerInterface
Submitted: 2018-12-20 21:10 UTC Modified: 2019-01-02 09:09 UTC
From: e6990620 at gmail dot com Assigned: yohgaki (profile)
Status: Assigned Package: Session related
PHP Version: 7.3.0 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-12-20 21:10 UTC] e6990620 at gmail dot com
Description:
------------
Up until PHP 7.3.0 when you wrote a custom SessionHandlerInterface you could signal the PHP engine to regenerate the ID by calling session_id('newvalue') inside its read() method. Then, when the session closed and the engine calls the write() method, $session_id used to be the new value.

Starting from PHP 7.3.0 this pattern no longer works, as write() receives the stale value.

Might be related to https://bugs.php.net/bug.php?id=74941 since it is the only session-related change in this new major release.

Another bug report of the same issue in a real world session handler: https://github.com/1ma/RedisSessionHandler/issues/11

Test script:
---------------
https://3v4l.org/6S4XM

Expected result:
----------------
$ curl -i -H "Cookie: PHPSESSID=madeupkey;" localhost/bug.php;

HTTP/1.1 200 OK
Server: nginx/1.13.12
Date: Thu, 20 Dec 2018 20:51:23 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.2.13                 <------------ PHP 7.2
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache

newsessionid

Actual result:
--------------
$ curl -i -H "Cookie: PHPSESSID=madeupkey;" localhost/bug.php;

HTTP/1.1 200 OK
Server: nginx/1.13.12
Date: Thu, 20 Dec 2018 20:51:25 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/7.3.0                  <------------ PHP 7.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache

madeupkey        <------ successful session fixation attack

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-21 15:05 UTC] cmb@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: yohgaki
 [2018-12-21 15:05 UTC] cmb@php.net
This behavioral change has been introduced by merging pull request
2406[1].  Yasuo, can you please have a look at this?  There will
also be a warning, if the session ID is changed in
SessionHandlerInterface::open().

[1] <https://github.com/php/php-src/pull/2406>
 [2019-01-02 09:09 UTC] nikic@php.net
Maybe we should revert this change for now? Until someone with good ext/session understanding can look at this, I think it's okay to just drop the warning in the meantime.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Jan 16 12:01:25 2019 UTC