Skip to content

Commit

Permalink
fix!: we force PHP defaults of session.sid_bits_per_character/session…
Browse files Browse the repository at this point in the history 
….sid_length

They are deprecated in PHP 8.4.
  • Loading branch information
@kenjis
kenjis committed Aug 22, 2024
1 parent 8b034b8 commit c9434c9
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 57 deletions.
33 changes: 13 additions & 20 deletions system/Session/Handlers/FileHandler.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -309,32 +309,25 @@ public function gc($max_lifetime)

/**
* Configure Session ID regular expression
*
* To make life easier, we force the PHP defaults. Because PHP9 forces them.
* See https://wiki.php.net/rfc/deprecations_php_8_4#sessionsid_length_and_sessionsid_bits_per_character
*/
protected function configureSessionIDRegex()
{
$bitsPerCharacter = (int) ini_get('session.sid_bits_per_character');
$SIDLength = (int) ini_get('session.sid_length');

if (($bits = $SIDLength * $bitsPerCharacter) < 160) {
// Add as many more characters as necessary to reach at least 160 bits
$SIDLength += (int) ceil((160 % $bits) / $bitsPerCharacter);
ini_set('session.sid_length', (string) $SIDLength);
}

switch ($bitsPerCharacter) {
case 4:
$this->sessionIDRegex = '[0-9a-f]';
break;
$sidLength = (int) ini_get('session.sid_length');

case 5:
$this->sessionIDRegex = '[0-9a-v]';
break;

case 6:
$this->sessionIDRegex = '[0-9a-zA-Z,-]';
break;
// We force the PHP defaults.
if (PHP_VERSION_ID < 90000) {
if ($bitsPerCharacter !== 4) {
ini_set('session.sid_bits_per_character', '4');
}
if ($sidLength !== 32) {
ini_set('session.sid_length', '32');
}
}

$this->sessionIDRegex .= '{' . $SIDLength . '}';
$this->sessionIDRegex = '[0-9a-f]{32}';
}
}
50 changes: 13 additions & 37 deletions system/Session/Session.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -316,49 +316,25 @@ protected function configure()
/**
* Configure session ID length
*
* To make life easier, we used to force SHA-1 and 4 bits per
* character on everyone. And of course, someone was unhappy.
*
* Then PHP 7.1 broke backwards-compatibility because ext/session
* is such a mess that nobody wants to touch it with a pole stick,
* and the one guy who does, nobody has the energy to argue with.
*
* So we were forced to make changes, and OF COURSE something was
* going to break and now we have this pile of shit. -- Narf
* To make life easier, we force the PHP defaults. Because PHP9 forces them.
* See https://wiki.php.net/rfc/deprecations_php_8_4#sessionsid_length_and_sessionsid_bits_per_character
*/
protected function configureSidLength()
{
$bitsPerCharacter = (int) (ini_get('session.sid_bits_per_character') !== false
? ini_get('session.sid_bits_per_character')
: 4);

$sidLength = (int) (ini_get('session.sid_length') !== false
? ini_get('session.sid_length')
: 40);

if (($sidLength * $bitsPerCharacter) < 160) {
$bits = ($sidLength * $bitsPerCharacter);
// Add as many more characters as necessary to reach at least 160 bits
$sidLength += (int) ceil((160 % $bits) / $bitsPerCharacter);
ini_set('session.sid_length', (string) $sidLength);
}
$bitsPerCharacter = (int) ini_get('session.sid_bits_per_character');
$sidLength = (int) ini_get('session.sid_length');

// Yes, 4,5,6 are the only known possible values as of 2016-10-27
switch ($bitsPerCharacter) {
case 4:
$this->sidRegexp = '[0-9a-f]';
break;

case 5:
$this->sidRegexp = '[0-9a-v]';
break;

case 6:
$this->sidRegexp = '[0-9a-zA-Z,-]';
break;
// We force the PHP defaults.
if (PHP_VERSION_ID < 90000) {
if ($bitsPerCharacter !== 4) {
ini_set('session.sid_bits_per_character', '4');
}
if ($sidLength !== 32) {
ini_set('session.sid_length', '32');
}
}

$this->sidRegexp .= '{' . $sidLength . '}';
$this->sidRegexp = '[0-9a-f]{32}';
}

/**
Expand Down

0 comments on commit c9434c9

Please sign in to comment.