PHP 8.4 session.sid_length and session.sid_bits_per_character are deprecated

Created on 4 August 2024, 3 months ago
Updated 13 September 2024, 2 months ago

Problem/Motivation

The RFC https://wiki.php.net/rfc/deprecations_php_8_4#sessionsid_length_and_sess...

Symfony https://github.com/symfony/symfony/pull/57805

In other words changing the default values will either generate session IDs that raise eyebrows (4 bits per character with less than 32 characters or 5 bpc for less than 26 characters) or generate session IDs that are needlessly strong, increasing CPU costs, due to the additional randomness required, and increasing the chance for interoperability problems, such as the mod_security example.

For this reason we propose to deprecate the two INI settings in favor of the opinionated choice of the current defaults of a 32 character hexadecimal session ID.

The hexadecimal character set is not expected to cause any interoperability issues, as it is the most limited one of the currently available ones and hexadecimal identifiers are likely the most commonly used. While this would increase the length of the session ID from the previous minimum of 22 characters (which is a secure choice when combined with 6 bits per character) to 32, we do not expect this to be an issue in practice. The difference in traffic is minimal and a hexadecimal session ID is trivially packed into a 16 Byte binary string using hex2bin(), should storage requirements of the session backend be a concern.

Steps to reproduce

core$ git grep sid_length
core/assets/scaffold/files/default.services.yml:57:    sid_length: 48
core/core.services.yml:18:    sid_length: 48
core/lib/Drupal/Core/Session/SessionConfiguration.php:28:    // Provide sensible defaults for sid_length, sid_bits_per_character and
core/lib/Drupal/Core/Session/SessionConfiguration.php:32:      'sid_length' => 48,
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:269:  public function testConstructorDefaultSettings(array $options, int $expected_sid_length, int $expected_sid_bits_per_character, string $expected_name_suffix): void {
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:272:    $this->assertSame($expected_sid_length, $options['sid_length']);
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:286:      [['sid_length' => 100], 100, 6, ''],
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:289:      [['sid_length' => 100, 'sid_bits_per_character' => 5, 'name_suffix' => 'some-suffix'], 100, 5, 'some-suffix'],
sites/default/default.services.yml:57:    sid_length: 48

core$ git grep sid_bits_per_character
core/assets/scaffold/files/default.services.yml:66:    sid_bits_per_character: 6
core/core.services.yml:19:    sid_bits_per_character: 6
core/lib/Drupal/Core/Session/SessionConfiguration.php:28:    // Provide sensible defaults for sid_length, sid_bits_per_character and
core/lib/Drupal/Core/Session/SessionConfiguration.php:33:      'sid_bits_per_character' => 6,
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:269:  public function testConstructorDefaultSettings(array $options, int $expected_sid_length, int $expected_sid_bits_per_character, string $expected_name_suffix): void {
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:273:    $this->assertSame($expected_sid_bits_per_character, $options['sid_bits_per_character']);
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:287:      [['sid_bits_per_character' => 5], 48, 5, ''],
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:289:      [['sid_length' => 100, 'sid_bits_per_character' => 5, 'name_suffix' => 'some-suffix'], 100, 5, 'some-suffix'],
sites/default/default.services.yml:66:    sid_bits_per_character: 6

Proposed resolution

discuss how to prevent using deprecated code

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

πŸ“Œ Task
Status

Fixed

Version

10.4 ✨

Component
BaseΒ  β†’

Last updated about 8 hours ago

Created by

πŸ‡«πŸ‡·France andypost

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Production build 0.71.5 2024