[Phpmyadmin-devel] secure session through hash_bits_per_character?

Thijs Kinkhorst thijs at debian.org
Wed Apr 30 21:56:47 CEST 2008


At Debian we've gotten a bug report which I'm quoting below. Basically, the 
user has hashing of his sessions dir, but this is appearently broken by the 
following bit of code that phpMyAdmin employs in session.php:

    // use more secure session ids (with PHP 5)
    if (version_compare(PHP_VERSION, '5.0.0', 'ge')
      && substr(PHP_OS, 0, 3) != 'WIN') {
        ini_set('session.hash_function', 1);
        ini_set('session.hash_bits_per_character', 6);

As I understand it, only the first option actually changes the security, as it 
increases the number of bits in the algorithm. Changing the 
hash_bits_per_character option only changes the style of the session hash 
names, not their security.

Yet, "hard" overriding this second option causes trouble for sysadmins that 
have enabled hashing of their session dir as in the quoted bug report. I see 
no real reason to hardcode the bits_per_character option, as the only thing 
it does is make te ID's a bit shorter, but they're not human readable 

Is there a reason why bits_per_character is hardcoded, or could it be removed?


=== begin quote ===

Enabling hashing session files to directories[1] with default php
configuration requires creating a directory hierarchy[2] for them.

Phpmyadmin enforces different session names[3] than configured by
sysadmin, but does use default directory and hashing depth. So if
sysadmin creates hierarchy for his session naming scheme, phpmyadmin
will fail creating (some) of the session files because no directories
[G-Zg-z] (and maybe more?) exist in the directory tree.

IMO phpmyadmin should honor session settings in the main php.ini or
allow this behaviour to be configured by debconf (along with its own
session directory).

[1] accomplished by setting session.save_path="2;/var/lib/php5" in
  - session name: sess_a1765f9b22bc2e2c2b672f4ab34a3199
  - is stored as /var/lib/php5/a/1/sess_a1765f9b22bc2e2c2b672f4ab34a3199
[2] with default php setting sessions are hashed to hex-digit
	directories (session.hash_bits_per_character = 4)
[3] /usr/share/phpmyadmin/libraries/session.inc.php:66 [in -TK]

=== end quote ===
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20080430/952d2938/attachment.sig>

More information about the Developers mailing list