[Phpmyadmin-devel] secure session through hash_bits_per_character?

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Thu May 1 14:08:08 CEST 2008 

Thijs Kinkhorst a écrit :
> Hi,
> 
> At Debian we've gotten a bug report which I'm quoting below. Basically, the 
> user has hashing of his sessions dir, but this is appearently broken by the 
> following bit of code that phpMyAdmin employs in session.php:
> 
>     // use more secure session ids (with PHP 5)
>     if (version_compare(PHP_VERSION, '5.0.0', 'ge')
>       && substr(PHP_OS, 0, 3) != 'WIN') {
>         ini_set('session.hash_function', 1);
>         ini_set('session.hash_bits_per_character', 6);
>     }
> 
> As I understand it, only the first option actually changes the security, as it 
> increases the number of bits in the algorithm. Changing the 
> hash_bits_per_character option only changes the style of the session hash 
> names, not their security.
> 
> Yet, "hard" overriding this second option causes trouble for sysadmins that 
> have enabled hashing of their session dir as in the quoted bug report. I see 
> no real reason to hardcode the bits_per_character option, as the only thing 
> it does is make te ID's a bit shorter, but they're not human readable 
> anyway...
> 
> Is there a reason why bits_per_character is hardcoded, or could it be removed?

I see no reason for this overriding.

> 
> thanks,
> Thijs
> 
> === begin quote ===
> 
> Enabling hashing session files to directories[1] with default php
> configuration requires creating a directory hierarchy[2] for them.
> 
> Phpmyadmin enforces different session names[3] than configured by
> sysadmin, but does use default directory and hashing depth. So if
> sysadmin creates hierarchy for his session naming scheme, phpmyadmin
> will fail creating (some) of the session files because no directories
> [G-Zg-z] (and maybe more?) exist in the directory tree.
> 
> IMO phpmyadmin should honor session settings in the main php.ini or
> allow this behaviour to be configured by debconf (along with its own
> session directory).
> 
> [1] accomplished by setting session.save_path="2;/var/lib/php5" in
> 	/etc/php5/apache2/php.ini
>   - session name: sess_a1765f9b22bc2e2c2b672f4ab34a3199
>   - is stored as /var/lib/php5/a/1/sess_a1765f9b22bc2e2c2b672f4ab34a3199
> [2] with default php setting sessions are hashed to hex-digit
> 	directories (session.hash_bits_per_character = 4)
> [3] /usr/share/phpmyadmin/libraries/session.inc.php:66 [in 2.9.1.1 -TK]
> 
> === end quote ===

More information about the Developers mailing list