PHP RFC: Add session_create_id() function

• Version: 0.1
• Created Date: 2016-04-07
• Modified Date: 2016-04-07
• Author: Yasuo Ohgaki yohgaki@ohgaki.net
• Status: Under Discussion
• First Published at: http://wiki.php.net/rfc/session-create-id

Session ID is created by session internal bin_to_reabable() function. bin_to_readable() creates readable string from binary data depending. New session_create_id() uses bin_to_readable() to create user defined session ID string. Session ID may use 'a'-'z', 'A'-'Z', ',', '-'. Without session_create_id(), user has to implement their own bin_to_readable() in user land.

Add session_create_id() function

string session_create_id([string $prefix])

session_create_id() will create new session ID by

• Default internal function(php_session_create_id()) when session is not active.
• User defined session ID creation function when session is active.

Session ID collision is detected upon session_start(). Therefore, different session ID could be assigned by collision and session.use_strict_mode=1. User defined session ID creation function may detect collisions if collision is a problem.

Note: Session ID creation function is not documented, but it's there. http://php.net/manual/en/book.session.php It's not documented because Object based save handler has non standard method name. i.e. create_sid() rather than createSid(). Rename will be proposed by different RFC. If you would like to see how it is used, please refer to phpt files.

• https://github.com/php/php-src/blob/master/ext/session/tests/save_handler.inc
• https://github.com/php/php-src/blob/master/ext/session/tests/session_set_save_handler_iface_003.phpt
• and so on

Prefix session ID by user id. This could be useful to search active session IDs for a user.

<?php
function create_logged_in_session($uid) {
  // Mark obsolete session as obsolete.
  $_SESSION['OBSOLETE'] = time(); // Warn access to this session after a few minutes. Should be checked upon starting session.
 
  // Make sure old session does not have 'uid' in $_SESSION
  unset($_SESSION['uid']);
 
  // Save and close session.
  session_commit(); 
 
  ///////// Prepare new logged in SID /////////////
 
  // Session is active here. So user defined session ID creation function is used. Users may check collision optionally.
  $sid = session_create_id($uid.'-');  
 
  // Disable to use custom session ID. use_strict_mode should be enabled by default for session security.
  ini_set('session.use_strict_mode', false); 
 
  // Set your own session ID and start session.
  session_id($sid);
 
  // If save handler has validate_sid() callback, collision is detected when use_strict_mode=1. Currently disabled. 
  session_start(); 
 
  // Error check
  if (session_id() !== $sid) {
    throw new Exception('Should not happen'); // Save handlers could do something cause this
  }
 
  $_SESSION['uid'] = $uid;
}
 
function my_session_start() {
  // Should enable use_strict_mode
  ini_set('session.use_strict_mode', 1);
 
  session_start();
 
  // Check obsolete session
  if ($_SESSION['OBSOLETE'] < time() - 300) {
    throw new Exception('Obsolete session access. Possible security breach');
  } 
}
?>

If session data is stored in database, administrators are able to list active session per uid easily and efficiently.

None.

PHP 7.1

This project requires a 2/3 majority

Add session_create_id() frunction
Real name	Yes	No
bishop (bishop)
diegopires (diegopires)
ericsten (ericsten)
lstrojny (lstrojny)
mariano (mariano)
mike (mike)
ocramius (ocramius)
stas (stas)
yohgaki (yohgaki)
Count:	8	1

Vote starts: 2016/08/10 - Vote ends: 2016/08/17 23:59:59 UTC

• https://github.com/php/php-src/pull/1853

After the project is implemented, this section should contain

1. the version(s) it was merged to
2. a link to the git commit(s)
3. a link to the PHP manual entry for the feature

Max/min length of session ID is defined by

• https://wiki.php.net/rfc/session-id-without-hashing

Keep this updated with features that were discussed on the mail lists.