[Phpmyadmin-devel] secure session through hash_bits_per_character?
Marc Delisle
Marc.Delisle at cegepsherbrooke.qc.ca
Thu May 1 14:08:08 CEST 2008
Thijs Kinkhorst a écrit :
> Hi,
>
> At Debian we've gotten a bug report which I'm quoting below. Basically, the
> user has hashing of his sessions dir, but this is appearently broken by the
> following bit of code that phpMyAdmin employs in session.php:
>
> // use more secure session ids (with PHP 5)
> if (version_compare(PHP_VERSION, '5.0.0', 'ge')
> && substr(PHP_OS, 0, 3) != 'WIN') {
> ini_set('session.hash_function', 1);
> ini_set('session.hash_bits_per_character', 6);
> }
>
> As I understand it, only the first option actually changes the security, as it
> increases the number of bits in the algorithm. Changing the
> hash_bits_per_character option only changes the style of the session hash
> names, not their security.
>
> Yet, "hard" overriding this second option causes trouble for sysadmins that
> have enabled hashing of their session dir as in the quoted bug report. I see
> no real reason to hardcode the bits_per_character option, as the only thing
> it does is make te ID's a bit shorter, but they're not human readable
> anyway...
>
> Is there a reason why bits_per_character is hardcoded, or could it be removed?
I see no reason for this overriding.
>
> thanks,
> Thijs
>
> === begin quote ===
>
> Enabling hashing session files to directories[1] with default php
> configuration requires creating a directory hierarchy[2] for them.
>
> Phpmyadmin enforces different session names[3] than configured by
> sysadmin, but does use default directory and hashing depth. So if
> sysadmin creates hierarchy for his session naming scheme, phpmyadmin
> will fail creating (some) of the session files because no directories
> [G-Zg-z] (and maybe more?) exist in the directory tree.
>
> IMO phpmyadmin should honor session settings in the main php.ini or
> allow this behaviour to be configured by debconf (along with its own
> session directory).
>
> [1] accomplished by setting session.save_path="2;/var/lib/php5" in
> /etc/php5/apache2/php.ini
> - session name: sess_a1765f9b22bc2e2c2b672f4ab34a3199
> - is stored as /var/lib/php5/a/1/sess_a1765f9b22bc2e2c2b672f4ab34a3199
> [2] with default php setting sessions are hashed to hex-digit
> directories (session.hash_bits_per_character = 4)
> [3] /usr/share/phpmyadmin/libraries/session.inc.php:66 [in 2.9.1.1 -TK]
>
> === end quote ===
More information about the Developers
mailing list