Asn]: session.hash_function silently fallback to default md5

yohgaki Sun, 28 Jul 2013 15:39:04 -0700

Edit report at https://bugs.php.net/bug.php?id=65315&edit=1


 ID:                 65315
 Updated by:         yohg...@php.net
 Reported by:        nbari at dalmp dot com
-Summary:            session.hash_function always using md5
+Summary:            session.hash_function silently fallback to default
                     md5
-Status:             Open
+Status:             Assigned
-Type:               Documentation Problem
+Type:               Bug
 Package:            Session related
-Operating System:   FreeBSD
+Operating System:   any
 PHP Version:        5.4.17
-Assigned To:        
+Assigned To:        yohgaki
 Block user comment: N
 Private report:     N



Previous Comments:
------------------------------------------------------------------------
[2013-07-28 22:33:38] yohg...@php.net

> And what about to check if there is a 'hash' function in the extensions 
> before 
using the defaults ?
> otherwise users are force to compile in the core the hash extension.

It does check before using hash function existence, therefore session module 
fallback to the default(MD5). 

Hash extension is enabled as default module like session module. I would 
suggest 
leave it as default. Otherwise, use md5 or sha1 or specify hash function at run 
time. (i.e. use ini_set())

It may be good raise E_WARNING error when session module fallback to default. 
I'll consider this.

------------------------------------------------------------------------
[2013-07-26 09:42:06] nbari at dalmp dot com

And what about to check if there is a 'hash' function in the extensions before 
using the defaults ?

otherwise users are force to compile in the core the hash extension.

------------------------------------------------------------------------
[2013-07-26 00:27:55] yohg...@php.net

This is expected (designed) behavior.

If there isn't a hash function, session module fallback to default hash 
function 
which is MD5 currently.

I'm not sure if this documented, so I left this as documentation problem.

------------------------------------------------------------------------
[2013-07-23 13:57:43] nbari at dalmp dot com

Description:
------------
session.hash_function not working when having the session and hash extension 
compiled out of the core.


ini_set('session.hash_function', 'sha256') returns a session with md5 hash not 
sha256


To fix this, php must be compiled using: --enable-hash and --enable-session
                                                                                
                                                                                
                                                                                
                                                                                
                                                                  
 

Test script:
---------------
<?php

ini_set('session.hash_function', 'sha256');
ini_set('session.hash_bits_per_character', 5);
session_start();
var_dump(session_id());

Expected result:
----------------
string(52) "qcpidhu1jabq225probhkmegnehkrp3fetpdvflumpfbdvo7gis0"

a session hashed with the specified algorithm, in this case 'sha256'


Actual result:
--------------
string(26) "h5rbp62tghln79n92cqicjmce5"

a session hashed with the md5 algo


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=65315&edit=1

Doc->Bug #65315 [Opn->Asn]: session.hash_function silently fallback to default md5

Reply via email to