From: Operating system: Freebsd 8.1 PHP version: 5.3.5 Package: Session related Bug Type: Bug Bug description:Setting session.hash_function doesn't change hash function used.
Description: ------------ This may be an apache bug, though I'll start with putting it down as php. There is a similar bug: Bug #49469 submitted in 2009 with advice try the latest snapshot, that was version 5.3.0 and I'm using version 5.3.5 so assuming that advice isn't valid and the bug still exists. Setting session.hash_function variable in php.ini doesn't change the value used to generate the hash function. I've tried sha512, sha1, whirlpool. All of these don't change the hash delivered to the browser (PHPSESSID) and still the standard md5() hash is used. All the hash algos tried are on the system when the output of hash_algos() is examined. Specifying 1 does make the system use SHA1 to generate the session hash. ############################## Revelant. php.ini session.save_handler = files session.use_cookies = 1 session.use_only_cookies = 1 session.name = PHPSESSID session.auto_start = 0 session.cookie_lifetime = 0 session.cookie_path = / session.cookie_domain = session.cookie_httponly = session.serialize_handler = php session.gc_probability = 1 session.gc_divisor = 1000 session.gc_maxlifetime = 1440 session.bug_compat_42 = On session.bug_compat_warn = On session.referer_check = session.entropy_length = 0 session.entropy_file = session.cache_limiter = nocache session.cache_expire = 180 session.use_trans_sid = 0 session.hash_function = sha512 session.hash_bits_per_character = 5 url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry" Test script: --------------- session_start() Expected result: ---------------- sha512 generated PHPSESSID Actual result: -------------- md5 generated PHPSESSID -- Edit bug report at http://bugs.php.net/bug.php?id=53789&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=53789&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=53789&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=53789&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=53789&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=53789&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=53789&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=53789&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=53789&r=needscript Try newer version: http://bugs.php.net/fix.php?id=53789&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=53789&r=support Expected behavior: http://bugs.php.net/fix.php?id=53789&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=53789&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=53789&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=53789&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=53789&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=53789&r=dst IIS Stability: http://bugs.php.net/fix.php?id=53789&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=53789&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=53789&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=53789&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=53789&r=mysqlcfg
