Skip to content

Commit 9482bc9

Browse files
MercanoGlobalMercanoGlobal
committed
Made the _configure_sid_length() more versatile
1 parent d85ef2b commit 9482bc9

File tree

1 file changed

+23
-17
lines changed

1 file changed

+23
-17
lines changed

htdocs/system/libraries/Session/Session.php

Lines changed: 23 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -375,34 +375,40 @@ protected function _configure(&$params)
375375
/**
376376
* Configure session ID length
377377
*
378-
* To make life easier, we used to force SHA-1 and 4 bits per
379-
* character on everyone. And of course, someone was unhappy.
380-
*
381-
* Then PHP 7.1 broke backwards-compatibility because ext/session
382-
* is such a mess that nobody wants to touch it with a pole stick,
383-
* and the one guy who does, nobody has the energy to argue with.
384-
*
385-
* So we were forced to make changes, and OF COURSE something was
386-
* going to break and now we have this pile of shit. -- Narf
378+
* Updated to support PHP 7.0+ while handling the 7.1+ INI changes
379+
* and avoiding PHP 8.4 deprecation notices.
387380
*
388381
* @return void
389382
*/
390383
protected function _configure_sid_length()
391384
{
392-
$bits_per_character = (int) ini_get('session.sid_bits_per_character');
393-
$sid_length = (int) ini_get('session.sid_length');
394-
395-
// Enforce defaults only where runtime mutation is allowed
396-
if (PHP_VERSION_ID < 80400) {
397-
if ($bits_per_character !== 4) {
385+
// Enforce legacy defaults (only for PHP 7.1 - 8.3)
386+
if (PHP_VERSION_ID >= 70100 && PHP_VERSION_ID < 80400) {
387+
if (ini_get('session.sid_bits_per_character') !== '4') {
398388
ini_set('session.sid_bits_per_character', '4');
399389
}
400-
if ($sid_length !== 32) {
390+
if (ini_get('session.sid_length') !== '32') {
401391
ini_set('session.sid_length', '32');
402392
}
403393
}
404394

405-
$this->_sid_regexp = '[0-9a-f]{32}';
395+
// Read the actual final configuration
396+
$sid_length = (int) @ini_get('session.sid_length');
397+
$bits_per_char = (int) @ini_get('session.sid_bits_per_character');
398+
399+
// Fallback for safety (if ini_get failed or returned 0)
400+
$sid_length = ($sid_length > 0) ? $sid_length : 32;
401+
$bits_per_char = ($bits_per_char > 0) ? $bits_per_char : 4;
402+
403+
// Map the alphabet correctly
404+
switch ($bits_per_char) {
405+
case 4: $alpha = '0-9a-f'; break;
406+
case 5: $alpha = '0-9a-v'; break;
407+
case 6: $alpha = '0-9a-zA-Z,-'; break;
408+
default: $alpha = '0-9a-f';
409+
}
410+
411+
$this->_sid_regexp = '[' . $alpha . ']{' . $sid_length . '}';
406412
}
407413

408414
// ------------------------------------------------------------------------

0 commit comments

Comments
 (0)