Edit report at https://bugs.php.net/bug.php?id=55787&edit=1
ID: 55787 User updated by: jason dot gerfen at gmail dot com Reported by: jason dot gerfen at gmail dot com Summary: session_id() - Limits on amount session_regenerate_id() can be used with sha512 Status: Open Type: Bug Package: Session related Operating System: Linux PHP Version: 5.3.8 Block user comment: N Private report: N New Comment: I am familiar with the error and the thing that I find the strangest is that the use of echo on a session variable would prevent the second echo statement by producing errors. Here in every instance any warnings and/or errors regarding the headers sent occurs at iteration 39 (default md5() session_id()) or iteration 19 (using sha512() session_id()). I suppose the use of the @session_id() should be used while testing entropy of custom session_id()'s vs. the internal session.entropy_file, session.entropy_length and session.hash_function options? Previous Comments: ------------------------------------------------------------------------ [2011-09-29 10:59:23] matty at mattyasia dot com This is a coding problem, not a bug. Perhaps an omission in the documentation though. You can not use this function after you have sent any data to the browser. So your problem here is that you have used "echo" before calling "session_regenerate_id()", causing this error. echo '<b>Testing with PHP defaults</b><br/>'; _loop(session_id(), 40, 'a'); ------------------------------------------------------------------------ [2011-09-26 18:29:57] jason dot gerfen at gmail dot com Description: ------------ I am not sure if this is a bug or a feature in terms of limits due to a test case exceeding internal limits. Scenario #1. Using session_regenerate_id() over 39 times results in the following errors: Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent Scenario #2. Using session_regenerate_id() over 19 times results in the following errors: Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent; when the following parameters are modified: ini_set("session.entropy_file", "/dev/urandom"); ini_set("session.entropy_length", "512"); ini_set("session.hash_function", "sha512"); Test script: --------------- session_start(); function _regenIDdef($old){ session_regenerate_id(true); $_SESSION = $old; } function _prettyPrint($id, $i){ echo sprintf('Iteration: %d : ID: %s => Length: %d<br/>', $i, $id, strlen((string)$id)); } function _collide($array){ $x=0; foreach($array as $k => $v){ if (count(in_array($v, $array))>1){ $x = $x++; echo sprintf('Collision found at %d session id %s<br/>', $k, $v); } } echo sprintf('Total collisions found %d<br/>', $x); } function _loop($id, $int){ $a = array(); for($i=0; $i<$int; $i++){ _regenIDdef($id); _prettyPrint(session_id(), $i); $a[$i]=session_id(); } _collide($a); } echo '<b>Testing with PHP defaults</b><br/>'; _loop(session_id(), 40, 'a'); echo '<b>Testing with /dev/urandom & entropy 32</b><br/>'; ini_set("session.entropy_file", "/dev/urandom"); ini_set("session.entropy_length", "512"); ini_set("session.hash_function", "sha512"); _loop(session_id(), 20, 'a'); ?> Expected result: ---------------- No errors returning about not being able to regenerate a new session_id Actual result: -------------- Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot regenerate session id - headers already sent ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=55787&edit=1