From 973e1487563b67955e2697d1bf26ec6e8c27824a Mon Sep 17 00:00:00 2001 From: kenjis Date: Wed, 21 Aug 2024 13:02:18 +0900 Subject: [PATCH 1/3] feat: add deprecation error handling for session.sid_length and session.sid_bits_per_character --- system/Debug/Exceptions.php | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/system/Debug/Exceptions.php b/system/Debug/Exceptions.php index e5f7ecb04881..fac10b32114d 100644 --- a/system/Debug/Exceptions.php +++ b/system/Debug/Exceptions.php @@ -209,6 +209,10 @@ public function exceptionHandler(Throwable $exception) public function errorHandler(int $severity, string $message, ?string $file = null, ?int $line = null) { if ($this->isDeprecationError($severity)) { + if ($this->isSessionSidDeprecationError($message, $file, $line)) { + return true; + } + if (! $this->config->logDeprecations || (bool) env('CODEIGNITER_SCREAM_DEPRECATIONS')) { throw new ErrorException($message, 0, $severity, $file, $line); } @@ -223,6 +227,32 @@ public function errorHandler(int $severity, string $message, ?string $file = nul return false; // return false to propagate the error to PHP standard error handler } + /** + * Handles session.sid_length and session.sid_bits_per_character deprecations + * in PHP 8.4. + */ + private function isSessionSidDeprecationError(string $message, ?string $file = null, ?int $line = null): bool + { + if ( + PHP_VERSION_ID >= 80400 + && str_contains($message, 'session.sid_') + ) { + log_message( + LogLevel::WARNING, + '[DEPRECATED] {message} in {errFile} on line {errLine}.', + [ + 'message' => $message, + 'errFile' => clean_path($file ?? ''), + 'errLine' => $line ?? 0, + ] + ); + + return true; + } + + return false; + } + /** * Checks to see if any errors have happened during shutdown that * need to be caught and handle them. From 12385ed3b70bfc751675c507f705d764cc4b6a5f Mon Sep 17 00:00:00 2001 From: kenjis Date: Thu, 22 Aug 2024 10:25:57 +0900 Subject: [PATCH 2/3] fix!: we force PHP defaults of session.sid_bits_per_character/session.sid_length They are deprecated in PHP 8.4. --- system/Session/Handlers/FileHandler.php | 33 +++++++--------- system/Session/Session.php | 50 +++++++------------------ 2 files changed, 26 insertions(+), 57 deletions(-) diff --git a/system/Session/Handlers/FileHandler.php b/system/Session/Handlers/FileHandler.php index 4dbec779526a..2b2425eb0458 100644 --- a/system/Session/Handlers/FileHandler.php +++ b/system/Session/Handlers/FileHandler.php @@ -309,32 +309,25 @@ public function gc($max_lifetime) /** * Configure Session ID regular expression + * + * To make life easier, we force the PHP defaults. Because PHP9 forces them. + * See https://wiki.php.net/rfc/deprecations_php_8_4#sessionsid_length_and_sessionsid_bits_per_character */ protected function configureSessionIDRegex() { $bitsPerCharacter = (int) ini_get('session.sid_bits_per_character'); - $SIDLength = (int) ini_get('session.sid_length'); - - if (($bits = $SIDLength * $bitsPerCharacter) < 160) { - // Add as many more characters as necessary to reach at least 160 bits - $SIDLength += (int) ceil((160 % $bits) / $bitsPerCharacter); - ini_set('session.sid_length', (string) $SIDLength); - } - - switch ($bitsPerCharacter) { - case 4: - $this->sessionIDRegex = '[0-9a-f]'; - break; + $sidLength = (int) ini_get('session.sid_length'); - case 5: - $this->sessionIDRegex = '[0-9a-v]'; - break; - - case 6: - $this->sessionIDRegex = '[0-9a-zA-Z,-]'; - break; + // We force the PHP defaults. + if (PHP_VERSION_ID < 90000) { + if ($bitsPerCharacter !== 4) { + ini_set('session.sid_bits_per_character', '4'); + } + if ($sidLength !== 32) { + ini_set('session.sid_length', '32'); + } } - $this->sessionIDRegex .= '{' . $SIDLength . '}'; + $this->sessionIDRegex = '[0-9a-f]{32}'; } } diff --git a/system/Session/Session.php b/system/Session/Session.php index 0aabcbe31d53..cf11e92f6274 100644 --- a/system/Session/Session.php +++ b/system/Session/Session.php @@ -316,49 +316,25 @@ protected function configure() /** * Configure session ID length * - * To make life easier, we used to force SHA-1 and 4 bits per - * character on everyone. And of course, someone was unhappy. - * - * Then PHP 7.1 broke backwards-compatibility because ext/session - * is such a mess that nobody wants to touch it with a pole stick, - * and the one guy who does, nobody has the energy to argue with. - * - * So we were forced to make changes, and OF COURSE something was - * going to break and now we have this pile of shit. -- Narf + * To make life easier, we force the PHP defaults. Because PHP9 forces them. + * See https://wiki.php.net/rfc/deprecations_php_8_4#sessionsid_length_and_sessionsid_bits_per_character */ protected function configureSidLength() { - $bitsPerCharacter = (int) (ini_get('session.sid_bits_per_character') !== false - ? ini_get('session.sid_bits_per_character') - : 4); - - $sidLength = (int) (ini_get('session.sid_length') !== false - ? ini_get('session.sid_length') - : 40); - - if (($sidLength * $bitsPerCharacter) < 160) { - $bits = ($sidLength * $bitsPerCharacter); - // Add as many more characters as necessary to reach at least 160 bits - $sidLength += (int) ceil((160 % $bits) / $bitsPerCharacter); - ini_set('session.sid_length', (string) $sidLength); - } + $bitsPerCharacter = (int) ini_get('session.sid_bits_per_character'); + $sidLength = (int) ini_get('session.sid_length'); - // Yes, 4,5,6 are the only known possible values as of 2016-10-27 - switch ($bitsPerCharacter) { - case 4: - $this->sidRegexp = '[0-9a-f]'; - break; - - case 5: - $this->sidRegexp = '[0-9a-v]'; - break; - - case 6: - $this->sidRegexp = '[0-9a-zA-Z,-]'; - break; + // We force the PHP defaults. + if (PHP_VERSION_ID < 90000) { + if ($bitsPerCharacter !== 4) { + ini_set('session.sid_bits_per_character', '4'); + } + if ($sidLength !== 32) { + ini_set('session.sid_length', '32'); + } } - $this->sidRegexp .= '{' . $sidLength . '}'; + $this->sidRegexp = '[0-9a-f]{32}'; } /** From 703c2730fe9c5931aa5a7d1dc2c253a46473b3bc Mon Sep 17 00:00:00 2001 From: kenjis Date: Tue, 27 Aug 2024 14:14:07 +0900 Subject: [PATCH 3/3] docs: add changelog and upgrade --- user_guide_src/source/changelogs/v4.6.0.rst | 7 +++++++ .../source/installation/upgrade_460.rst | 21 +++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/user_guide_src/source/changelogs/v4.6.0.rst b/user_guide_src/source/changelogs/v4.6.0.rst index 4c34f05be882..d3dc4529d512 100644 --- a/user_guide_src/source/changelogs/v4.6.0.rst +++ b/user_guide_src/source/changelogs/v4.6.0.rst @@ -90,6 +90,13 @@ environment, this behavior has been fixed so that error details are displayed if With this fix, the error details are now displayed under the same conditions for both HTML requests and non-HTML requests. +Session ID (SID) +---------------- + +Now ``Session`` library forces to use the PHP default 32 character SIDs, with 4 +bits of entropy per character. +See :ref:`Upgrading Guide ` for details. + .. _v460-interface-changes: Interface Changes diff --git a/user_guide_src/source/installation/upgrade_460.rst b/user_guide_src/source/installation/upgrade_460.rst index da0875849156..a06729a30f29 100644 --- a/user_guide_src/source/installation/upgrade_460.rst +++ b/user_guide_src/source/installation/upgrade_460.rst @@ -126,6 +126,27 @@ The following is an example of code that will no longer work: .. literalinclude:: upgrade_460/001.php +.. _upgrade-460-sid-change: + +Session ID (SID) Change +======================= + +Now :doc:`../libraries/sessions` forces to use the PHP default 32 character SIDs, +with 4 bits of entropy per character. This change is to match the behavior of +PHP 9. + +In other words, the following settings are always used: + +.. code-block:: ini + + session.sid_bits_per_character = 4 + session.sid_length = 32 + +In previous versions, the PHP ini settings was respected. So this change may +change your SID length. + +If you cannot accept this change, customize the Session library. + Interface Changes =================