> -----Original Message----- > From: Jens Kisters [mailto:jk-temp@xxxxxx] > Sent: 08 September 2006 14:53 > > we validate all incoming parameters and that includes checking if the > phpsession ID is only numbers and letters and is 32 Bytes long. > This worked for some PHP5 Servers but we just encountered an > 5.1.2 that > issued sessionIDs that were 26 Bytes long. > I cant find any note about that in either of the PHP5 changelogs. > > Question : What lengths are valid for PHP Sesssions is it possible to > encounter valid sessions with a length other than 26 and 32? Yes. Originally, session IDs were MD5 hashes 128 bits long, encoded 4-bits-per-character to give a 32-character session id. PHP 5 introduced the settings session.hash_function and session.hash_bits_per_character; with these, you can have an MD5 (128 bits) or SHA-1 (160 bits) hash, encoded 4, 5 or 6 bits per character. There are 6 possible combinations of these settings, giving 5 possible session id lengths of 40, 32, 27, 26 and 22 characters. Cheers! Mike --------------------------------------------------------------------- Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning & Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: m.ford@xxxxxxxxxxxxxx Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
