Bug #53789 [Opn->Fbk]: Setting session.hash_function doesn't change hash function used.

Tue, 01 Feb 2011 05:39:28 -0800 

Edit report at http://bugs.php.net/bug.php?id=53789&edit=1

 ID:                 53789
 Updated by:         il...@php.net
 Reported by:        richard at blueapex dot co dot uk
 Summary:            Setting session.hash_function doesn't change hash
                     function used.
-Status:             Open
+Status:             Feedback
 Type:               Bug
 Package:            Session related
 Operating System:   Freebsd 8.1
 PHP Version:        5.3.5
 Block user comment: N
 Private report:     N

 New Comment:

Do you have the hash extension enabled? Without that extension, hashing
algorithms 

other than md5/sha1 will not be available.


Previous Comments:
------------------------------------------------------------------------
[2011-01-30 14:07:14] datahell at elxis dot org

I face the same problem on PHP 5.2.5 (x64) on my local installation
Windows Vista 64bit.

------------------------------------------------------------------------
[2011-01-19 14:23:34] richard at blueapex dot co dot uk

Description:
------------
This may be an apache bug, though I'll start with putting it down as
php. There is a similar bug: Bug #49469 submitted in 2009 with advice
try the latest snapshot, that was version 5.3.0 and I'm using version
5.3.5 so assuming that advice isn't valid and the bug still exists.



Setting session.hash_function variable in php.ini doesn't change the
value used to generate the hash function.



I've tried sha512, sha1, whirlpool. All of these don't change the hash
delivered to the browser (PHPSESSID) and still the standard md5() hash
is used.



All the hash algos tried are on the system when the output of
hash_algos() is examined.



Specifying 1 does make the system use SHA1 to generate the session
hash.



##############################



Revelant. php.ini



session.save_handler = files

session.use_cookies = 1

session.use_only_cookies = 1

session.name = PHPSESSID

session.auto_start = 0

session.cookie_lifetime = 0

session.cookie_path = /

session.cookie_domain =

session.cookie_httponly =

session.serialize_handler = php

session.gc_probability = 1

session.gc_divisor = 1000

session.gc_maxlifetime = 1440

session.bug_compat_42 = On

session.bug_compat_warn = On

session.referer_check =

session.entropy_length = 0

session.entropy_file =

session.cache_limiter = nocache

session.cache_expire = 180

session.use_trans_sid = 0

session.hash_function = sha512

session.hash_bits_per_character = 5

url_rewriter.tags =
"a=href,area=href,frame=src,input=src,form=fakeentry"

Test script:
---------------
session_start()

Expected result:
----------------
sha512 generated PHPSESSID

Actual result:
--------------
md5 generated PHPSESSID


------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=53789&edit=1

Reply via email to