Edit report at https://bugs.php.net/bug.php?id=55787&edit=1
ID: 55787
User updated by: jason dot gerfen at gmail dot com
Reported by: jason dot gerfen at gmail dot com
Summary: session_id() - Limits on amount
session_regenerate_id() can be used with sha512
Status: Open
Type: Bug
Package: Session related
Operating System: Linux
PHP Version: 5.3.8
Block user comment: N
Private report: N
New Comment:
I am familiar with the error and the thing that I find the strangest is that
the use of echo on a session variable would prevent the second echo statement
by producing errors.
Here in every instance any warnings and/or errors regarding the headers sent
occurs at iteration 39 (default md5() session_id()) or iteration 19 (using
sha512() session_id()).
I suppose the use of the @session_id() should be used while testing entropy of
custom session_id()'s vs. the internal session.entropy_file,
session.entropy_length and session.hash_function options?
Previous Comments:
------------------------------------------------------------------------
[2011-09-29 10:59:23] matty at mattyasia dot com
This is a coding problem, not a bug. Perhaps an omission in the documentation
though.
You can not use this function after you have sent any data to the browser.
So your problem here is that you have used "echo" before calling
"session_regenerate_id()", causing this error.
echo '<b>Testing with PHP defaults</b><br/>';
_loop(session_id(), 40, 'a');
------------------------------------------------------------------------
[2011-09-26 18:29:57] jason dot gerfen at gmail dot com
Description:
------------
I am not sure if this is a bug or a feature in terms of limits due to a test
case exceeding internal limits.
Scenario #1.
Using session_regenerate_id() over 39 times results in the following errors:
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot
regenerate session id - headers already sent
Scenario #2.
Using session_regenerate_id() over 19 times results in the following errors:
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot
regenerate session id - headers already sent; when the following parameters are
modified:
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");
ini_set("session.hash_function", "sha512");
Test script:
---------------
session_start();
function _regenIDdef($old){
session_regenerate_id(true);
$_SESSION = $old;
}
function _prettyPrint($id, $i){
echo sprintf('Iteration: %d : ID: %s => Length: %d<br/>', $i, $id,
strlen((string)$id));
}
function _collide($array){
$x=0;
foreach($array as $k => $v){
if (count(in_array($v, $array))>1){
$x = $x++;
echo sprintf('Collision found at %d session id %s<br/>', $k, $v);
}
}
echo sprintf('Total collisions found %d<br/>', $x);
}
function _loop($id, $int){
$a = array();
for($i=0; $i<$int; $i++){
_regenIDdef($id);
_prettyPrint(session_id(), $i);
$a[$i]=session_id();
}
_collide($a);
}
echo '<b>Testing with PHP defaults</b><br/>';
_loop(session_id(), 40, 'a');
echo '<b>Testing with /dev/urandom & entropy 32</b><br/>';
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");
ini_set("session.hash_function", "sha512");
_loop(session_id(), 20, 'a');
?>
Expected result:
----------------
No errors returning about not being able to regenerate a new session_id
Actual result:
--------------
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot
regenerate session id - headers already sent
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=55787&edit=1
