Edit report at https://bugs.php.net/bug.php?id=65315&edit=1
ID: 65315
Updated by: yohg...@php.net
Reported by: nbari at dalmp dot com
Summary: session.hash_function silently fallback to default
md5
-Status: Assigned
+Status: Closed
Type: Bug
Package: Session related
Operating System: any
PHP Version: 5.4.17
Assigned To: yohgaki
Block user comment: N
Private report: N
New Comment:
Automatic comment on behalf of yohgaki
Revision:
http://git.php.net/?p=php-src.git;a=commit;h=b6b425d2cf767e47e9d05fbfe1328f1485a488ef
Log: Fixed Bug #65315 session.hash_function silently fallback to default md5
Previous Comments:
------------------------------------------------------------------------
[2013-07-28 22:33:38] yohg...@php.net
> And what about to check if there is a 'hash' function in the extensions
> before
using the defaults ?
> otherwise users are force to compile in the core the hash extension.
It does check before using hash function existence, therefore session module
fallback to the default(MD5).
Hash extension is enabled as default module like session module. I would
suggest
leave it as default. Otherwise, use md5 or sha1 or specify hash function at run
time. (i.e. use ini_set())
It may be good raise E_WARNING error when session module fallback to default.
I'll consider this.
------------------------------------------------------------------------
[2013-07-26 09:42:06] nbari at dalmp dot com
And what about to check if there is a 'hash' function in the extensions before
using the defaults ?
otherwise users are force to compile in the core the hash extension.
------------------------------------------------------------------------
[2013-07-26 00:27:55] yohg...@php.net
This is expected (designed) behavior.
If there isn't a hash function, session module fallback to default hash
function
which is MD5 currently.
I'm not sure if this documented, so I left this as documentation problem.
------------------------------------------------------------------------
[2013-07-23 13:57:43] nbari at dalmp dot com
Description:
------------
session.hash_function not working when having the session and hash extension
compiled out of the core.
ini_set('session.hash_function', 'sha256') returns a session with md5 hash not
sha256
To fix this, php must be compiled using: --enable-hash and --enable-session
Test script:
---------------
<?php
ini_set('session.hash_function', 'sha256');
ini_set('session.hash_bits_per_character', 5);
session_start();
var_dump(session_id());
Expected result:
----------------
string(52) "qcpidhu1jabq225probhkmegnehkrp3fetpdvflumpfbdvo7gis0"
a session hashed with the specified algorithm, in this case 'sha256'
Actual result:
--------------
string(26) "h5rbp62tghln79n92cqicjmce5"
a session hashed with the md5 algo
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=65315&edit=1
