Giter Club home page Giter Club logo

Comments (4)

voku avatar voku commented on August 22, 2024

Thanks for the info! 👍

fixed -> 0e23f8d
tests -> https://travis-ci.org/voku/session2db/builds/228383210

from session2db.

P-a-d-r-a-i-g avatar P-a-d-r-a-i-g commented on August 22, 2024

I don't think this will resolve it.

According to PHP RFC: Session ID without hashing, the implementation has the following defaults due to backwards compatibility:

session.sid_length=26
session.sid_bits_per_character=5

Your previous session.hash_function value of 1 means SHA-1 (160 bits / 20 bytes) but this won't make a difference as the hashing function is replaced anyway. Also, you have session_id varchar(32) for the table.

Your previous session.hash_bits_per_character value of 6 would need to be applied to session.sid_bits_per_character instead as it defaults to 5.

from session2db.

voku avatar voku commented on August 22, 2024

The new default settings from PHP are backwards compatible, so 32 chars is still working (see the tests at Travis-CI). But in the next major release, we can add breaking changes (BC) and we can increase the values... I will test it.

from session2db.

P-a-d-r-a-i-g avatar P-a-d-r-a-i-g commented on August 22, 2024

Ya, I meant that the number of characters will be fine for your current release, but the main part I want you to know about is that the bits per character will actually decrease from your original code with the default PHP 7.1 values. You have the following pre PHP 7.1 code that sets bits per character to 6, but that INI has been removed in PHP 7.1:

// Increase character-range of the session ID to help prevent brute-force attacks ini_set('session.hash_bits_per_character', 6);

The new PHP 7.1 default of session.sid_bits_per_character is 5, not 6 as you originally intended to help prevent brute force attacks.

So, what I'm saying is that you need to replace the pre PHP 7.1 code of ini_set('session.hash_bits_per_character', 6) with the new session.sid_bits_per_character. You have just an if not PHP 7.1 statement around the original ini_set so this means the default of 5 bits per character will be used.

Hope this clarifies it.

from session2db.

Related Issues (7)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.