[Phpmyadmin-devel] secure session through hash_bits_per_character?
Hi, At Debian we've gotten a bug report which I'm quoting below. Basically, the user has hashing of his sessions dir, but this is appearently broken by the following bit of code that phpMyAdmin employs in session.php: // use more secure session ids (with PHP 5) if (version_compare(PHP_VERSION, '5.0.0', 'ge') && substr(PHP_OS, 0, 3) != 'WIN') { ini_set('session.hash_function', 1); ini_set('session.hash_bits_per_character', 6); } As I understand it, only the first option actually changes the security, as it increases the number of bits in the algorithm. Changing the hash_bits_per_character option only changes the style of the session hash names, not their security. Yet, "hard" overriding this second option causes trouble for sysadmins that have enabled hashing of their session dir as in the quoted bug report. I see no real reason to hardcode the bits_per_character option, as the only thing it does is make te ID's a bit shorter, but they're not human readable anyway... Is there a reason why bits_per_character is hardcoded, or could it be removed? thanks, Thijs === begin quote === Enabling hashing session files to directories[1] with default php configuration requires creating a directory hierarchy[2] for them. Phpmyadmin enforces different session names[3] than configured by sysadmin, but does use default directory and hashing depth. So if sysadmin creates hierarchy for his session naming scheme, phpmyadmin will fail creating (some) of the session files because no directories [G-Zg-z] (and maybe more?) exist in the directory tree. IMO phpmyadmin should honor session settings in the main php.ini or allow this behaviour to be configured by debconf (along with its own session directory). [1] accomplished by setting session.save_path="2;/var/lib/php5" in /etc/php5/apache2/php.ini - session name: sess_a1765f9b22bc2e2c2b672f4ab34a3199 - is stored as /var/lib/php5/a/1/sess_a1765f9b22bc2e2c2b672f4ab34a3199 [2] with default php setting sessions are hashed to hex-digit directories (session.hash_bits_per_character = 4) [3] /usr/share/phpmyadmin/libraries/session.inc.php:66 [in 2.9.1.1 -TK] === end quote ===
Thijs Kinkhorst a écrit :
Hi,
At Debian we've gotten a bug report which I'm quoting below. Basically, the user has hashing of his sessions dir, but this is appearently broken by the following bit of code that phpMyAdmin employs in session.php:
// use more secure session ids (with PHP 5) if (version_compare(PHP_VERSION, '5.0.0', 'ge') && substr(PHP_OS, 0, 3) != 'WIN') { ini_set('session.hash_function', 1); ini_set('session.hash_bits_per_character', 6); }
As I understand it, only the first option actually changes the security, as it increases the number of bits in the algorithm. Changing the hash_bits_per_character option only changes the style of the session hash names, not their security.
Yet, "hard" overriding this second option causes trouble for sysadmins that have enabled hashing of their session dir as in the quoted bug report. I see no real reason to hardcode the bits_per_character option, as the only thing it does is make te ID's a bit shorter, but they're not human readable anyway...
Is there a reason why bits_per_character is hardcoded, or could it be removed?
I see no reason for this overriding.
thanks, Thijs
=== begin quote ===
Enabling hashing session files to directories[1] with default php configuration requires creating a directory hierarchy[2] for them.
Phpmyadmin enforces different session names[3] than configured by sysadmin, but does use default directory and hashing depth. So if sysadmin creates hierarchy for his session naming scheme, phpmyadmin will fail creating (some) of the session files because no directories [G-Zg-z] (and maybe more?) exist in the directory tree.
IMO phpmyadmin should honor session settings in the main php.ini or allow this behaviour to be configured by debconf (along with its own session directory).
[1] accomplished by setting session.save_path="2;/var/lib/php5" in /etc/php5/apache2/php.ini - session name: sess_a1765f9b22bc2e2c2b672f4ab34a3199 - is stored as /var/lib/php5/a/1/sess_a1765f9b22bc2e2c2b672f4ab34a3199 [2] with default php setting sessions are hashed to hex-digit directories (session.hash_bits_per_character = 4) [3] /usr/share/phpmyadmin/libraries/session.inc.php:66 [in 2.9.1.1 -TK]
=== end quote ===
Continue the discussion here: http://sourceforge.net/tracker/index.php?func=detail&aid=1955386&group_id=23... Thijs Kinkhorst a écrit :
Hi,
At Debian we've gotten a bug report which I'm quoting below. Basically, the user has hashing of his sessions dir, but this is appearently broken by the following bit of code that phpMyAdmin employs in session.php:
// use more secure session ids (with PHP 5) if (version_compare(PHP_VERSION, '5.0.0', 'ge') && substr(PHP_OS, 0, 3) != 'WIN') { ini_set('session.hash_function', 1); ini_set('session.hash_bits_per_character', 6); }
As I understand it, only the first option actually changes the security, as it increases the number of bits in the algorithm. Changing the hash_bits_per_character option only changes the style of the session hash names, not their security.
Yet, "hard" overriding this second option causes trouble for sysadmins that have enabled hashing of their session dir as in the quoted bug report. I see no real reason to hardcode the bits_per_character option, as the only thing it does is make te ID's a bit shorter, but they're not human readable anyway...
Is there a reason why bits_per_character is hardcoded, or could it be removed?
thanks, Thijs
=== begin quote ===
Enabling hashing session files to directories[1] with default php configuration requires creating a directory hierarchy[2] for them.
Phpmyadmin enforces different session names[3] than configured by sysadmin, but does use default directory and hashing depth. So if sysadmin creates hierarchy for his session naming scheme, phpmyadmin will fail creating (some) of the session files because no directories [G-Zg-z] (and maybe more?) exist in the directory tree.
IMO phpmyadmin should honor session settings in the main php.ini or allow this behaviour to be configured by debconf (along with its own session directory).
[1] accomplished by setting session.save_path="2;/var/lib/php5" in /etc/php5/apache2/php.ini - session name: sess_a1765f9b22bc2e2c2b672f4ab34a3199 - is stored as /var/lib/php5/a/1/sess_a1765f9b22bc2e2c2b672f4ab34a3199 [2] with default php setting sessions are hashed to hex-digit directories (session.hash_bits_per_character = 4) [3] /usr/share/phpmyadmin/libraries/session.inc.php:66 [in 2.9.1.1 -TK]
=== end quote ===
------------------------------------------------------------------------
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javao...
------------------------------------------------------------------------
_______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
participants (2)
-
Marc Delisle -
Thijs Kinkhorst