Skip to content

Commit

Permalink
Merge pull request #9139 from kenjis/session-sid-change
Browse files Browse the repository at this point in the history
[4.6] feat: force PHP default 32 chars length at 4 bits to Session ID
  • Loading branch information
kenjis authored Sep 5, 2024
2 parents dc45e42 + 703c273 commit 8442cb1
Show file tree
Hide file tree
Showing 5 changed files with 84 additions and 57 deletions.
30 changes: 30 additions & 0 deletions system/Debug/Exceptions.php
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,10 @@ public function exceptionHandler(Throwable $exception)
public function errorHandler(int $severity, string $message, ?string $file = null, ?int $line = null)
{
if ($this->isDeprecationError($severity)) {
if ($this->isSessionSidDeprecationError($message, $file, $line)) {
return true;
}

if (! $this->config->logDeprecations || (bool) env('CODEIGNITER_SCREAM_DEPRECATIONS')) {
throw new ErrorException($message, 0, $severity, $file, $line);
}
Expand All @@ -223,6 +227,32 @@ public function errorHandler(int $severity, string $message, ?string $file = nul
return false; // return false to propagate the error to PHP standard error handler
}

/**
* Handles session.sid_length and session.sid_bits_per_character deprecations
* in PHP 8.4.
*/
private function isSessionSidDeprecationError(string $message, ?string $file = null, ?int $line = null): bool
{
if (
PHP_VERSION_ID >= 80400
&& str_contains($message, 'session.sid_')
) {
log_message(
LogLevel::WARNING,
'[DEPRECATED] {message} in {errFile} on line {errLine}.',
[
'message' => $message,
'errFile' => clean_path($file ?? ''),
'errLine' => $line ?? 0,
]
);

return true;
}

return false;
}

/**
* Checks to see if any errors have happened during shutdown that
* need to be caught and handle them.
Expand Down
33 changes: 13 additions & 20 deletions system/Session/Handlers/FileHandler.php
Original file line number Diff line number Diff line change
Expand Up @@ -309,32 +309,25 @@ public function gc($max_lifetime)

/**
* Configure Session ID regular expression
*
* To make life easier, we force the PHP defaults. Because PHP9 forces them.
* See https://wiki.php.net/rfc/deprecations_php_8_4#sessionsid_length_and_sessionsid_bits_per_character
*/
protected function configureSessionIDRegex()
{
$bitsPerCharacter = (int) ini_get('session.sid_bits_per_character');
$SIDLength = (int) ini_get('session.sid_length');

if (($bits = $SIDLength * $bitsPerCharacter) < 160) {
// Add as many more characters as necessary to reach at least 160 bits
$SIDLength += (int) ceil((160 % $bits) / $bitsPerCharacter);
ini_set('session.sid_length', (string) $SIDLength);
}

switch ($bitsPerCharacter) {
case 4:
$this->sessionIDRegex = '[0-9a-f]';
break;
$sidLength = (int) ini_get('session.sid_length');

case 5:
$this->sessionIDRegex = '[0-9a-v]';
break;

case 6:
$this->sessionIDRegex = '[0-9a-zA-Z,-]';
break;
// We force the PHP defaults.
if (PHP_VERSION_ID < 90000) {
if ($bitsPerCharacter !== 4) {
ini_set('session.sid_bits_per_character', '4');
}
if ($sidLength !== 32) {
ini_set('session.sid_length', '32');
}
}

$this->sessionIDRegex .= '{' . $SIDLength . '}';
$this->sessionIDRegex = '[0-9a-f]{32}';
}
}
50 changes: 13 additions & 37 deletions system/Session/Session.php
Original file line number Diff line number Diff line change
Expand Up @@ -316,49 +316,25 @@ protected function configure()
/**
* Configure session ID length
*
* To make life easier, we used to force SHA-1 and 4 bits per
* character on everyone. And of course, someone was unhappy.
*
* Then PHP 7.1 broke backwards-compatibility because ext/session
* is such a mess that nobody wants to touch it with a pole stick,
* and the one guy who does, nobody has the energy to argue with.
*
* So we were forced to make changes, and OF COURSE something was
* going to break and now we have this pile of shit. -- Narf
* To make life easier, we force the PHP defaults. Because PHP9 forces them.
* See https://wiki.php.net/rfc/deprecations_php_8_4#sessionsid_length_and_sessionsid_bits_per_character
*/
protected function configureSidLength()
{
$bitsPerCharacter = (int) (ini_get('session.sid_bits_per_character') !== false
? ini_get('session.sid_bits_per_character')
: 4);

$sidLength = (int) (ini_get('session.sid_length') !== false
? ini_get('session.sid_length')
: 40);

if (($sidLength * $bitsPerCharacter) < 160) {
$bits = ($sidLength * $bitsPerCharacter);
// Add as many more characters as necessary to reach at least 160 bits
$sidLength += (int) ceil((160 % $bits) / $bitsPerCharacter);
ini_set('session.sid_length', (string) $sidLength);
}
$bitsPerCharacter = (int) ini_get('session.sid_bits_per_character');
$sidLength = (int) ini_get('session.sid_length');

// Yes, 4,5,6 are the only known possible values as of 2016-10-27
switch ($bitsPerCharacter) {
case 4:
$this->sidRegexp = '[0-9a-f]';
break;

case 5:
$this->sidRegexp = '[0-9a-v]';
break;

case 6:
$this->sidRegexp = '[0-9a-zA-Z,-]';
break;
// We force the PHP defaults.
if (PHP_VERSION_ID < 90000) {
if ($bitsPerCharacter !== 4) {
ini_set('session.sid_bits_per_character', '4');
}
if ($sidLength !== 32) {
ini_set('session.sid_length', '32');
}
}

$this->sidRegexp .= '{' . $sidLength . '}';
$this->sidRegexp = '[0-9a-f]{32}';
}

/**
Expand Down
7 changes: 7 additions & 0 deletions user_guide_src/source/changelogs/v4.6.0.rst
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,13 @@ environment, this behavior has been fixed so that error details are displayed if
With this fix, the error details are now displayed under the same conditions for
both HTML requests and non-HTML requests.

Session ID (SID)
----------------

Now ``Session`` library forces to use the PHP default 32 character SIDs, with 4
bits of entropy per character.
See :ref:`Upgrading Guide <upgrade-460-sid-change>` for details.

.. _v460-interface-changes:

Interface Changes
Expand Down
21 changes: 21 additions & 0 deletions user_guide_src/source/installation/upgrade_460.rst
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,27 @@ The following is an example of code that will no longer work:

.. literalinclude:: upgrade_460/001.php

.. _upgrade-460-sid-change:

Session ID (SID) Change
=======================

Now :doc:`../libraries/sessions` forces to use the PHP default 32 character SIDs,
with 4 bits of entropy per character. This change is to match the behavior of
PHP 9.

In other words, the following settings are always used:

.. code-block:: ini
session.sid_bits_per_character = 4
session.sid_length = 32
In previous versions, the PHP ini settings was respected. So this change may
change your SID length.

If you cannot accept this change, customize the Session library.

Interface Changes
=================

Expand Down

0 comments on commit 8442cb1

Please sign in to comment.