Session: use session_regenerate_id() to obtain a fresh session id and… #339

Cy4n1d3 · 2015-09-04T10:33:37Z

… allow for different server configurations.

Improves on #306
Relates to #335, #336, #338

Issue:

PHP regenerates the session ID itself if the ID is not conforming to the configured hash function
the regex does not cover cases where session settings have been changed serverside

Fixes:

Information:

Signed-off-by: Cy4n1d3 [email protected]

… allow for different server configurations. Improves on #306 Relates to #335, #336, #338 Issue: - PHP regenerates the session ID itself if the ID is not conforming to the configured hash function - the regex does not cover cases where session settings have been changed serverside Fixes: - use native function to regenerate the session ID and assign it to the cookie - extends regex to match internal session verification function of PHP Information: - https://secure.php.net/manual/en/session.configuration.php#ini.session.hash-function - https://secure.php.net/manual/en/session.configuration.php#ini.session.hash-bits-per-character - https://github.com/php/php-src/blob/master/ext/session/session.c#L449 Signed-off-by: Cy4n1d3 <[email protected]>

virtualtam · 2015-09-04T19:57:17Z

=> should become an update of #338

let's keep issue- and code-related discussions at the same place
feels kind of weird to see a second active PR addressing the same issue and featuring a similar commit message

Cy4n1d3 · 2015-09-04T19:58:29Z

You're right, didn't think about that.

virtualtam · 2015-09-04T19:59:10Z

No problem :)

Improves shaarli#306 Relates to shaarli#335 & shaarli#336 Duplicated by shaarli#339 Issues: - PHP regenerates the session ID if it is not compliant - the regex checking the session ID does not cover all cases - different algorithms: md5, sha1, sha256, etc. - bit representations: 4, 5, 6 Fix: - regex: support all possible characters - '[a-zA-Z,-]{2,128}' - tests: add coverage for all algorithms & bit representations TODO: - remove `uniqid()` usage See: - http://php.net/manual/en/session.configuration.php#ini.session.hash-function - https://secure.php.net/manual/en/session.configuration.php#ini.session.hash-bits-per-character - http://php.net/manual/en/function.session-id.php - http://php.net/manual/en/function.session-regenerate-id.php - http://php.net/manual/en/function.hash-algos.php Signed-off-by: VirtualTam <[email protected]>

Improves shaarli#306 Relates to shaarli#335 & shaarli#336 Duplicated by shaarli#339 Issues: - PHP regenerates the session ID if it is not compliant - the regex checking the session ID does not cover all cases - different algorithms: md5, sha1, sha256, etc. - bit representations: 4, 5, 6 Fix: - `index.php`: - remove `uniqid()` usage - call `session_regenerate_id()` if an invalid cookie is detected - regex: support all possible characters - '[a-zA-Z,-]{2,128}' - tests: add coverage for all algorithms & bit representations See: - http://php.net/manual/en/session.configuration.php#ini.session.hash-function - https://secure.php.net/manual/en/session.configuration.php#ini.session.hash-bits-per-character - http://php.net/manual/en/function.session-id.php - http://php.net/manual/en/function.session-regenerate-id.php - http://php.net/manual/en/function.hash-algos.php Signed-off-by: VirtualTam <[email protected]>

Cy4n1d3 mentioned this pull request Sep 4, 2015

Session ID: extend the regex to match possible hash representations #338

Merged

Cy4n1d3 closed this Sep 4, 2015

Cy4n1d3 deleted the fix/sess-id branch September 4, 2015 22:03

Provide feedback