diff --git a/NEWS b/NEWS index 06d31bcf4f2b0..5d237a6460c62 100644 --- a/NEWS +++ b/NEWS @@ -17,6 +17,10 @@ PHP NEWS - Random: . lcg_value() is now deprecated. (timwolla) +- Session: + . INI settings session.sid_length and session.sid_bits_per_character are now + deprecated. (timwolla) + - Standard: . Unserializing the uppercase 'S' tag is now deprecated. (timwolla) diff --git a/UPGRADING b/UPGRADING index d25eb35383b8b..e41faf5dd40ed 100644 --- a/UPGRADING +++ b/UPGRADING @@ -446,6 +446,10 @@ PHP 8.4 UPGRADE NOTES - Session: . Calling session_set_save_handler() with more than 2 arguments is deprecated. Use the 2-parameter signature instead. + . Changing the INI settings session.sid_length and session.sid_bits_per_character + is deprecated. Update the session storage backend to accept 32 character + hexadecimal session IDs and stop changing these two INI settings. + RFC: https://wiki.php.net/rfc/deprecations_php_8_4 - Standard: . Calling stream_context_set_option() with 2 arguments is deprecated. diff --git a/ext/session/session.c b/ext/session/session.c index 01cffb997dafe..5ea341d0bb2d3 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -751,6 +751,9 @@ static PHP_INI_MH(OnUpdateSidLength) /* {{{ */ SESSION_CHECK_ACTIVE_STATE; SESSION_CHECK_OUTPUT_STATE; val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10); + if (val != 32) { + zend_error(E_DEPRECATED, "session.sid_length INI setting is deprecated"); + } if (endptr && (*endptr == '\0') && val >= 22 && val <= PS_MAX_SID_LENGTH) { /* Numeric value */ @@ -771,6 +774,9 @@ static PHP_INI_MH(OnUpdateSidBits) /* {{{ */ SESSION_CHECK_ACTIVE_STATE; SESSION_CHECK_OUTPUT_STATE; val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10); + if (val != 4) { + zend_error(E_DEPRECATED, "session.sid_bits_per_character INI setting is deprecated"); + } if (endptr && (*endptr == '\0') && val >= 4 && val <=6) { /* Numeric value */ diff --git a/ext/session/tests/bug68063.phpt b/ext/session/tests/bug68063.phpt index 2aa3ea1c41b9b..6832574cd4d3c 100644 --- a/ext/session/tests/bug68063.phpt +++ b/ext/session/tests/bug68063.phpt @@ -22,5 +22,6 @@ var_dump(session_start()); var_dump(session_id()); ?> --EXPECTF-- +Deprecated: session.sid_length INI setting is deprecated in Unknown on line 0 bool(true) string(40) "%s" diff --git a/ext/session/tests/session_id_basic2.phpt b/ext/session/tests/session_id_basic2.phpt index 5f777a9866679..9182ab0f6c0d6 100644 --- a/ext/session/tests/session_id_basic2.phpt +++ b/ext/session/tests/session_id_basic2.phpt @@ -11,13 +11,13 @@ ob_start(); echo "*** Testing session_id() : basic functionality ***\n"; -ini_set('session.sid_bits_per_chracter', 6); +ini_set('session.sid_bits_per_character', 6); ini_set('session.sid_length', 120); session_start(); var_dump(session_id()); session_commit(); -ini_set('session.sid_bits_per_chracter', 4); +ini_set('session.sid_bits_per_character', 4); ini_set('session.sid_length', 22); session_start(); session_regenerate_id(); @@ -28,6 +28,12 @@ echo "Done"; ?> --EXPECTF-- *** Testing session_id() : basic functionality *** + +Deprecated: session.sid_bits_per_character INI setting is deprecated in %s on line %d + +Deprecated: session.sid_length INI setting is deprecated in %s on line %d string(120) "%s" + +Deprecated: session.sid_length INI setting is deprecated in %s on line %d string(22) "%s" Done diff --git a/php.ini-development b/php.ini-development index 2ce934f811932..6ec2b5eacfa0d 100644 --- a/php.ini-development +++ b/php.ini-development @@ -1422,15 +1422,6 @@ session.cache_expire = 180 ; https://php.net/session.use-trans-sid session.use_trans_sid = 0 -; Set session ID character length. This value could be between 22 to 256. -; Shorter length than default is supported only for compatibility reason. -; Users should use 32 or more chars. -; https://php.net/session.sid-length -; Default Value: 32 -; Development Value: 26 -; Production Value: 26 -session.sid_length = 26 - ; The URL rewriter will look for URLs in a defined set of HTML tags. ;
is special; if you include them here, the rewriter will ; add a hidden field with the info which is otherwise appended @@ -1456,18 +1447,6 @@ session.trans_sid_tags = "a=href,area=href,frame=src,form=" ; Production Value: "" ;session.trans_sid_hosts="" -; Define how many bits are stored in each character when converting -; the binary hash data to something readable. -; Possible values: -; 4 (4 bits: 0-9, a-f) -; 5 (5 bits: 0-9, a-v) -; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") -; Default Value: 4 -; Development Value: 5 -; Production Value: 5 -; https://php.net/session.hash-bits-per-character -session.sid_bits_per_character = 5 - ; Enable upload progress tracking in $_SESSION ; Default Value: On ; Development Value: On diff --git a/php.ini-production b/php.ini-production index 43d24fc372087..9635a8dd1702b 100644 --- a/php.ini-production +++ b/php.ini-production @@ -1424,15 +1424,6 @@ session.cache_expire = 180 ; https://php.net/session.use-trans-sid session.use_trans_sid = 0 -; Set session ID character length. This value could be between 22 to 256. -; Shorter length than default is supported only for compatibility reason. -; Users should use 32 or more chars. -; https://php.net/session.sid-length -; Default Value: 32 -; Development Value: 26 -; Production Value: 26 -session.sid_length = 26 - ; The URL rewriter will look for URLs in a defined set of HTML tags. ; is special; if you include them here, the rewriter will ; add a hidden field with the info which is otherwise appended @@ -1458,18 +1449,6 @@ session.trans_sid_tags = "a=href,area=href,frame=src,form=" ; Production Value: "" ;session.trans_sid_hosts="" -; Define how many bits are stored in each character when converting -; the binary hash data to something readable. -; Possible values: -; 4 (4 bits: 0-9, a-f) -; 5 (5 bits: 0-9, a-v) -; 6 (6 bits: 0-9, a-z, A-Z, "-", ",") -; Default Value: 4 -; Development Value: 5 -; Production Value: 5 -; https://php.net/session.hash-bits-per-character -session.sid_bits_per_character = 5 - ; Enable upload progress tracking in $_SESSION ; Default Value: On ; Development Value: On