Bug #55787 [Com]: session_id() - Limits on amount session_regenerate_id() can be used with sha512

Thu, 29 Sep 2011 04:00:37 -0700 

Edit report at https://bugs.php.net/bug.php?id=55787&edit=1

 ID:                 55787
 Comment by:         matty at mattyasia dot com
 Reported by:        jason dot gerfen at gmail dot com
 Summary:            session_id() - Limits on amount
                     session_regenerate_id() can be used with sha512
 Status:             Open
 Type:               Bug
 Package:            Session related
 Operating System:   Linux
 PHP Version:        5.3.8
 Block user comment: N
 Private report:     N

 New Comment:

This is a coding problem, not a bug. Perhaps an omission in the documentation 
though.

You can not use this function after you have sent any data to the browser.

So your problem here is that you have used "echo" before calling 
"session_regenerate_id()", causing this error.

echo '<b>Testing with PHP defaults</b><br/>';
_loop(session_id(), 40, 'a');


Previous Comments:
------------------------------------------------------------------------
[2011-09-26 18:29:57] jason dot gerfen at gmail dot com

Description:
------------
I am not sure if this is a bug or a feature in terms of limits due to a test 
case exceeding internal limits.

Scenario #1.
Using session_regenerate_id() over 39 times results in the following errors:
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot 
regenerate session id - headers already sent

Scenario #2.
Using session_regenerate_id() over 19 times results in the following errors:
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot 
regenerate session id - headers already sent; when the following parameters are 
modified:
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");
ini_set("session.hash_function", "sha512");


Test script:
---------------
session_start();

function _regenIDdef($old){
 session_regenerate_id(true);
 $_SESSION = $old;
}

function _prettyPrint($id, $i){
 echo sprintf('Iteration: %d : ID: %s => Length: %d<br/>', $i, $id, 
strlen((string)$id));
}

function _collide($array){
 $x=0;
 foreach($array as $k => $v){
  if (count(in_array($v, $array))>1){
   $x = $x++;
   echo sprintf('Collision found at %d session id %s<br/>', $k, $v);
  }
 }
 echo sprintf('Total collisions found %d<br/>', $x);
}

function _loop($id, $int){
 $a = array();
 for($i=0; $i<$int; $i++){
  _regenIDdef($id);
  _prettyPrint(session_id(), $i);
  $a[$i]=session_id();
 }
 _collide($a);
}

echo '<b>Testing with PHP defaults</b><br/>';
_loop(session_id(), 40, 'a');

echo '<b>Testing with /dev/urandom & entropy 32</b><br/>';
ini_set("session.entropy_file", "/dev/urandom");
ini_set("session.entropy_length", "512");
ini_set("session.hash_function", "sha512");
_loop(session_id(), 20, 'a');

?>

Expected result:
----------------
No errors returning about not being able to regenerate a new session_id

Actual result:
--------------
Warning: session_regenerate_id() [function.session-regenerate-id]: Cannot 
regenerate session id - headers already sent


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55787&edit=1

Reply via email to