This is an old revision of the document!
PHP RFC: Add session_create_id() function
- Version: 0.1
- Created Date: 2016-04-07
- Modified Date: 2016-04-07
- Author: Yasuo Ohgaki yohgaki@ohgaki.net
- Status: Under Discussion
- First Published at: http://wiki.php.net/rfc/session-create-id
Introduction
Session ID is created by session internal bin_to_reabable() function. bin_to_readable() creates readable string from binary data depending. New session_create_id() uses bin_to_readable() to create user defined session ID string. Session ID may use 'a'-'z', 'A'-'Z', ',', '-'. Without session_create_id(), user has to implement their own bin_to_readable() in user land.
Proposal
Add session_create_id() function
string session_create_id([string $prefix])
NOTE: Prefix length is not considered as a part of session.sid_length. Session ID length became 'prefix length' + session.sid_length. Total length must be less than 256 chars.
session_create_id() will create new session ID by
- Default internal function(php_session_create_id()) when session is NOT active.
- Save handler defined session ID creation function when session is active.
- Additionally, if session ID validation function is defined, collision is detected.
Note: User defined session ID creation function(handler) is not documented, but it's there.
http://php.net/manual/en/book.session.php
It's not documented because Object based save handler has non standard method name. i.e. create_sid() rather than createSid(). Rename will be proposed by different RFC.(Documented after this RFC is created) If you would like to see how it is used, please refer to phpt files.
- and so on
Use case
Prefix session ID by user id. This could be useful to search active session IDs for a user.
<?php function create_logged_in_session($uid) { // Mark obsolete session as obsolete. Timestamp based session management is mandatory. $_SESSION['OBSOLETE'] = time(); // Warn access to this session after a few minutes. Should be checked upon starting session. // Make sure old session does not have 'uid' in $_SESSION unset($_SESSION['uid']); // Session is active here. It is safe to generate new session ID while session is active, // because session ID collision is detected by session module if save handler implements session ID validation function. $sid = session_create_id($uid.'-'); // Save and close old session. session_commit(); // use_strict_mode should be enabled by default for session security. // However, it must be disable to use custom session ID. ini_set('session.use_strict_mode', false); // Set your own session ID and start session. session_id($sid); // Collision is checked already in previous active session. session_start(); // Error check if (session_id() !== $sid) { throw new Exception('Should not happen'); // Save handlers could do something cause this. This should never happen usually. } $_SESSION['uid'] = $uid; } function my_session_start() { // Should enable use_strict_mode for security reasons. ini_set('session.use_strict_mode', 1); session_start(); // Check obsolete session if ($_SESSION['OBSOLETE'] < time() - 300) { throw new Exception('Obsolete session access. Possible security breach'); } } ?>
If session data is stored in database, administrators are able to list active session per uid easily and efficiently.
Backward Incompatible Changes
None. Just a new function.
Proposed PHP Version(s)
PHP 7.1
Voting Choices
This project requires a 2/3 majority
Vote starts: 2016/08/10 - Vote ends: 2016/08/17 23:59:59 UTC
Patches and Tests
Implementation
After the project is implemented, this section should contain
- the version(s) it was merged to
- a link to the git commit(s)
- a link to the PHP manual entry for the feature
References
Max/min length of session ID is defined by
Rejected Features
Keep this updated with features that were discussed on the mail lists.