[Phpmyadmin-devel] secure session through hash_bits_per_character?

Thu May 1 14:28:47 CEST 2008

Continue the discussion here: 
http://sourceforge.net/tracker/index.php?func=detail&aid=1955386&group_id=23067&atid=377408

Thijs Kinkhorst a écrit :
> Hi,
> 
> At Debian we've gotten a bug report which I'm quoting below. Basically, the 
> user has hashing of his sessions dir, but this is appearently broken by the 
> following bit of code that phpMyAdmin employs in session.php:
> 
>     // use more secure session ids (with PHP 5)
>     if (version_compare(PHP_VERSION, '5.0.0', 'ge')
>       && substr(PHP_OS, 0, 3) != 'WIN') {
>         ini_set('session.hash_function', 1);
>         ini_set('session.hash_bits_per_character', 6);
>     }
> 
> As I understand it, only the first option actually changes the security, as it 
> increases the number of bits in the algorithm. Changing the 
> hash_bits_per_character option only changes the style of the session hash 
> names, not their security.
> 
> Yet, "hard" overriding this second option causes trouble for sysadmins that 
> have enabled hashing of their session dir as in the quoted bug report. I see 
> no real reason to hardcode the bits_per_character option, as the only thing 
> it does is make te ID's a bit shorter, but they're not human readable 
> anyway...
> 
> Is there a reason why bits_per_character is hardcoded, or could it be removed?
> 
> thanks,
> Thijs
> 
> === begin quote ===
> 
> Enabling hashing session files to directories[1] with default php
> configuration requires creating a directory hierarchy[2] for them.
> 
> Phpmyadmin enforces different session names[3] than configured by
> sysadmin, but does use default directory and hashing depth. So if
> sysadmin creates hierarchy for his session naming scheme, phpmyadmin
> will fail creating (some) of the session files because no directories
> [G-Zg-z] (and maybe more?) exist in the directory tree.
> 
> IMO phpmyadmin should honor session settings in the main php.ini or
> allow this behaviour to be configured by debconf (along with its own
> session directory).
> 
> [1] accomplished by setting session.save_path="2;/var/lib/php5" in
> 	/etc/php5/apache2/php.ini
>   - session name: sess_a1765f9b22bc2e2c2b672f4ab34a3199
>   - is stored as /var/lib/php5/a/1/sess_a1765f9b22bc2e2c2b672f4ab34a3199
> [2] with default php setting sessions are hashed to hex-digit
> 	directories (session.hash_bits_per_character = 4)
> [3] /usr/share/phpmyadmin/libraries/session.inc.php:66 [in 2.9.1.1 -TK]
> 
> === end quote ===
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
> Don't miss this year's exciting event. There's still time to save $100. 
> Use priority code J8TL2D2. 
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel