This is an old revision of the document!
PHP RFC: Add session_create_id() function
- Version: 0.1
- Created Date: 2016-04-07
- Modified Date: 2016-04-07
- Author: Yasuo Ohgaki yohgaki@ohgaki.net
- Status: Under Discussion
- First Published at: http://wiki.php.net/rfc/session-create-id
Introduction
Session ID is created by session internal bin_to_reabable() function. bin_to_readable() creates readable string from binary data depending. New session_create_id() uses bin_to_readable() to create user defined session ID string. Session ID may use 'a'-'z', 'A'-'Z', ',', '-'. Without session_create_id(), user has to implement their own bin_to_readable() in user land.
Proposal
Add session_create_id() function
string session_create_id([string $prefix])
session_create_id() will create new session ID by
- Default internal function(php_session_create_id()) when session is not active.
- User defined session ID creation function when session is active.
Session ID collision is detected upon session_start(). Therefore, different session ID could be assigned by collision and session.use_strict_mode=1. User defined session ID creation function may detect collisions if collision is a problem.
Note: Session ID creation function is not documented, but it's there. http://php.net/manual/en/book.session.php It's not documented because Object based save handler has non standard method name. i.e. create_sid() rather than createSid(). Rename will be proposed by different RFC. If you would like to see how it is used, please refer to phpt files.
- and so on
Use case
Prefix session ID by user id. This could be useful to search active session IDs for a user.
<?php function create_logged_in_session($uid) { // Mark obsolete session as obsolete. $_SESSION['OBSOLETE'] = time(); // Warn access to this session after a few minutes. Should be checked upon starting session. // Make sure old session does not have 'uid' in $_SESSION unset($_SESSION['uid']); // Save and close session. session_commit(); ///////// Prepare new logged in SID ///////////// // Session is active here. So user defined session ID creation function is used. Users may check collision optionally. $sid = session_create_id($uid.'-'); // Disable to use custom session ID. use_strict_mode should be enabled by default for session security. ini_set('session.use_strict_mode', false); // Set your own session ID and start session. session_id($sid); // If save handler has validate_sid() callback, collision is detected when use_strict_mode=1. Currently disabled. session_start(); // Error check if (session_id() !== $sid) { throw new Exception('Should not happen'); // Save handlers could do something cause this } $_SESSION['uid'] = $uid; } function my_session_start() { // Should enable use_strict_mode ini_set('session.use_strict_mode', 1); session_start(); // Check obsolete session if ($_SESSION['OBSOLETE'] < time() - 300) { throw new Exception('Obsolete session access. Possible security breach'); } } ?>
If session data is stored in database, administrators are able to list active session per uid easily and efficiently.
Backward Incompatible Changes
None.
Proposed PHP Version(s)
PHP 7.1
Voting Choices
This project requires a 2/3 majority
Vote starts: 2016/08/10 - Vote ends: 2016/08/17 23:59:59 UTC
Patches and Tests
Implementation
After the project is implemented, this section should contain
- the version(s) it was merged to
- a link to the git commit(s)
- a link to the PHP manual entry for the feature
References
Max/min length of session ID is defined by
Rejected Features
Keep this updated with features that were discussed on the mail lists.