rfc:session-create-id

This is an old revision of the document!


PHP RFC: Add session_create_id() function

Introduction

Session ID is created by session internal bin_to_reabable() function. bin_to_readable() creates readable string from binary data depending. New session_create_id() uses bin_to_readable() to create user defined session ID string. Session ID may use 'a'-'z', 'A'-'Z', ',', '-'. Without session_create_id(), user has to implement their own bin_to_readable() in user land.

Proposal

Add session_create_id() function

string session_create_id([string $prefix])

NOTE: Prefix length is not considered as a part of session.sid_length. Session ID length became 'prefix length' + session.sid_length. Total length must be less than 256 chars.

session_create_id() will create new session ID by

  • Default internal function(php_session_create_id()) when session is NOT active.
  • Save handler defined session ID creation function when session is active.
    • Additionally, if session ID validation function is defined, collision is detected.

Note: User defined session ID creation function(handler) is not documented, but it's there. http://php.net/manual/en/book.session.php It's not documented because Object based save handler has non standard method name. i.e. create_sid() rather than createSid(). Rename will be proposed by different RFC.(Documented after this RFC is created) If you would like to see how it is used, please refer to phpt files.

Use case

Prefix session ID by user id. This could be useful to search active session IDs for a user.

<?php
function create_logged_in_session($uid) {
  // Mark obsolete session as obsolete. Timestamp based session management is mandatory.
  $_SESSION['OBSOLETE'] = time(); // Warn access to this session after a few minutes. Should be checked upon starting session.
 
  // Make sure old session does not have 'uid' in $_SESSION
  unset($_SESSION['uid']);
 
  // Session is active here. It is safe to generate new session ID while session is active,
  // because session ID collision is detected by session module if save handler implements session ID validation function.
  $sid = session_create_id($uid.'-');  
 
  // Save and close old session.
  session_commit(); 
 
  // use_strict_mode should be enabled by default for session security.
  // However, it must be disable to use custom session ID. 
  ini_set('session.use_strict_mode', false); 
 
  // Set your own session ID and start session.
  session_id($sid);
  // Collision is checked already in previous active session.
  session_start(); 
 
  // Error check
  if (session_id() !== $sid) {
    throw new Exception('Should not happen'); // Save handlers could do something cause this. This should never happen usually.
  }
 
  $_SESSION['uid'] = $uid;
}
 
function my_session_start() {
  // Should enable use_strict_mode for security reasons.
  ini_set('session.use_strict_mode', 1);
 
  session_start();
 
  // Check obsolete session
  if ($_SESSION['OBSOLETE'] < time() - 300) {
    throw new Exception('Obsolete session access. Possible security breach');
  } 
}
?>

If session data is stored in database, administrators are able to list active session per uid easily and efficiently.

Backward Incompatible Changes

None. Just a new function.

Proposed PHP Version(s)

PHP 7.1

Voting Choices

This project requires a 2/3 majority

Add session_create_id() frunction
Real name Yes No
bishop (bishop)  
diegopires (diegopires)  
ericsten (ericsten)  
lstrojny (lstrojny)  
mariano (mariano)  
mike (mike)  
ocramius (ocramius)  
stas (stas)  
yohgaki (yohgaki)  
Count: 8 1

Vote starts: 2016/08/10 - Vote ends: 2016/08/17 23:59:59 UTC

Patches and Tests

Implementation

After the project is implemented, this section should contain

  1. the version(s) it was merged to
  2. a link to the git commit(s)
  3. a link to the PHP manual entry for the feature

References

Max/min length of session ID is defined by

Rejected Features

Keep this updated with features that were discussed on the mail lists.

rfc/session-create-id.1470820741.txt.gz · Last modified: 2017/09/22 13:28 (external edit)