From:
Operating system: Linux
PHP version: 5.3.8
Package: Session related
Bug Type: Bug
Bug description:session_id() - Limits on amount session_regenerate_id() can be
used with sha512
Description:
------------
I am not sure if this is a bug or a feature in terms of limits due to a
test case exceeding internal limits.
Scenario #1.
Using session_regenerate_id() over 39 times results in the following
errors:
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot
regenerate session id - headers already sent
Scenario #2.
Using session_regenerate_id() over 19 times results in the following
errors:
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot
regenerate session id - headers already sent; when the following parameters
are modified:
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");
ini_set("session.hash_function", "sha512");
Test script:
---------------
session_start();
function _regenIDdef($old){
session_regenerate_id(true);
$_SESSION = $old;
}
function _prettyPrint($id, $i){
echo sprintf('Iteration: %d : ID: %s => Length: %d<br/>', $i, $id,
strlen((string)$id));
}
function _collide($array){
$x=0;
foreach($array as $k => $v){
if (count(in_array($v, $array))>1){
$x = $x++;
echo sprintf('Collision found at %d session id %s<br/>', $k, $v);
}
}
echo sprintf('Total collisions found %d<br/>', $x);
}
function _loop($id, $int){
$a = array();
for($i=0; $i<$int; $i++){
_regenIDdef($id);
_prettyPrint(session_id(), $i);
$a[$i]=session_id();
}
_collide($a);
}
echo '<b>Testing with PHP defaults</b><br/>';
_loop(session_id(), 40, 'a');
echo '<b>Testing with /dev/urandom & entropy 32</b><br/>';
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");
ini_set("session.hash_function", "sha512");
_loop(session_id(), 20, 'a');
?>
Expected result:
----------------
No errors returning about not being able to regenerate a new session_id
Actual result:
--------------
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot
regenerate session id - headers already sent
--
Edit bug report at https://bugs.php.net/bug.php?id=55787&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=55787&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=55787&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=55787&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=55787&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=55787&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=55787&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=55787&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=55787&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=55787&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=55787&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=55787&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=55787&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=55787&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=55787&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=55787&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=55787&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=55787&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=55787&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=55787&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=55787&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=55787&r=mysqlcfg
