yohgaki

Yasuo Ohgaki

Contents

PHP RFC: Session ID without hashing

Introduction

The objective of this RFC is session module code cleanup, remove unneeded code complexity and redundancy.

  • Hash function is not required to generate session ID with CSPRNG.
  • Hash function removal results in less number of INI config.

NOTE: It is meaningless applying hash to CS safe random bytes.

Since PHP 7, there is php_random_bytes() function. Session ID generation does not need hashing for secure session ID generation. Session module may simply convert random bytes to readable characters.

As a bonus, simple session generation performance increased 2X or more.

  • w/ Patch: Requests per second: 2278.59 [#/sec] (mean)
  • w/o Patch: Requests per second: 899.36 [#/sec] (mean)

Proposal

Use php_random_bytes() generated binary random value directly and convert it to session ID by using session internal bin_to_readable() function.

Remove hash and RNG related codes and settings from session module.

  • session.hash_function
  • session.hash_bits_per_character
  • session.entropy_file
  • session.entropy_length

Add new config for session ID generation.

  • session.sid_length (Session ID string length. Default: 48 or 32)
  • session.sid_bits_per_character (Outstanding bits per char. Default: 5 or 4)

Default INI setting is vote option. session.sid_length=48 and session.sid_bits_per_character=5 is stronger, but BC. session.sid_length=32 and session.sid_bits_per_character=4 is weaker, but no BC.

NOTE: New session ID is far less likely to have collisions. Even if system has broken CSPRNG, session module has session ID collision detection already.

Min/max length of session ID: 22 - 256 (22 is the same length as MD5 hash with_hash_bits_per_chars=6)

Discussions

Exposing PRNG state has risk

If PRNG has vulnerability that generates predictable value, exposing raw PRNG state helps attackers. Although, this is unlikely with modern PRNGs, but risk is there.

To mitigate risk, additional bytes (+60 bytes) are read from PRNG. Additional bytes should be good enough for predictable session ID with broken PRNG implementation. Those who are concerned PRNG quality, you may choose new INI defaults. Those who are comfortable with PRNG quality and value compatibility, you may choose compatible(old) INI defaults.

Backward Incompatible Changes

None, when compatible default is chosen

  • session.sid_length=32
  • session.sid_bits_per_character=4

If non-compatible default is chosen, session.sid_length, session.sid_bits_per_character may set to compatible value.

  • session.sid_length=48
  • session.sid_bits_per_character=5

Proposed PHP Version(s)

PHP 7.1

RFC Impact

To SAPIs

None

To Existing Extensions

Session module

To Opcache

None

New Constants

None

php.ini Defaults

hardcoded default and php.ini-* default values are the same. This is voting option.

  • session.sid_length (Session ID string length. Default: 48 or 32)
  • session.sid_bits_per_character (Outstanding bits per char. Default: 5 or 4)

Open Issues

None

Unaffected PHP Functionality

3rd party and user save handlers are unaffected.

Future Scope

Patches and Tests

Implementation

Due to the default value used in php.ini-development/production, INI settings in those files are set to

  • session.sid_length=26
  • session.sid_bits_per_character=5

This matches session.hash_func=0 and session.hash_bits_per_character=5 used since PHP 5.3.

  1. the version(s) it was merged to PHP 7.1
  2. a link to the git commit(s)
  3. a link to the PHP manual entry:

References

Rejected Features

Votes

An option needs 2/3 votes to win

Session ID without hashing Re-vote (100% approved)
User Vote
davey Yes
dm Yes
guilhermeblanco Yes
leigh Yes
ocramius Yes
pollita Yes
sammyk Yes
stas Yes
yohgaki Yes
Session ID without hashing Re-vote: INI option (100% approved)
User Vote
davey Use compatible defaults (No BC break)
derick Use compatible defaults (No BC break)
dm Use compatible defaults (No BC break)
guilhermeblanco Use new defaults (BC break)
leigh Use compatible defaults (No BC break)
ocramius Use compatible defaults (No BC break)
pollita Use compatible defaults (No BC break)
sammyk Use new defaults (BC break)
stas Use compatible defaults (No BC break)
yohgaki Use new defaults (BC break)