diff options
author | VirtualTam <virtualtam@flibidi.net> | 2015-09-03 23:12:58 +0200 |
---|---|---|
committer | VirtualTam <virtualtam@flibidi.net> | 2015-09-06 16:14:24 +0200 |
commit | 68bc21353a6138a898724c8bb87684bb2b6b2c1c (patch) | |
tree | 8c100e6ca4cba5870640cf3e0ec688b1f0fa7474 /tests/utils | |
parent | a02257b8aed58ef2f8536c877ce2fb222f84ac40 (diff) | |
download | Shaarli-68bc21353a6138a898724c8bb87684bb2b6b2c1c.tar.gz Shaarli-68bc21353a6138a898724c8bb87684bb2b6b2c1c.tar.zst Shaarli-68bc21353a6138a898724c8bb87684bb2b6b2c1c.zip |
Session ID: extend the regex to match possible hash representations
Improves #306
Relates to #335 & #336
Duplicated by #339
Issues:
- PHP regenerates the session ID if it is not compliant
- the regex checking the session ID does not cover all cases
- different algorithms: md5, sha1, sha256, etc.
- bit representations: 4, 5, 6
Fix:
- `index.php`:
- remove `uniqid()` usage
- call `session_regenerate_id()` if an invalid cookie is detected
- regex: support all possible characters - '[a-zA-Z,-]{2,128}'
- tests: add coverage for all algorithms & bit representations
See:
- http://php.net/manual/en/session.configuration.php#ini.session.hash-function
- https://secure.php.net/manual/en/session.configuration.php#ini.session.hash-bits-per-character
- http://php.net/manual/en/function.session-id.php
- http://php.net/manual/en/function.session-regenerate-id.php
- http://php.net/manual/en/function.hash-algos.php
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'tests/utils')
-rw-r--r-- | tests/utils/ReferenceSessionIdHashes.php | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/tests/utils/ReferenceSessionIdHashes.php b/tests/utils/ReferenceSessionIdHashes.php new file mode 100644 index 00000000..60b1c007 --- /dev/null +++ b/tests/utils/ReferenceSessionIdHashes.php | |||
@@ -0,0 +1,55 @@ | |||
1 | <?php | ||
2 | /** | ||
3 | * Testing the untestable - Session ID generation | ||
4 | */ | ||
5 | class ReferenceSessionIdHashes | ||
6 | { | ||
7 | // Session ID hashes | ||
8 | protected static $sidHashes = null; | ||
9 | |||
10 | /** | ||
11 | * Generates session ID hashes for all algorithms & bit representations | ||
12 | */ | ||
13 | public static function genAllHashes() | ||
14 | { | ||
15 | foreach (hash_algos() as $algo) { | ||
16 | self::$sidHashes[$algo] = array(); | ||
17 | |||
18 | foreach (array(4, 5, 6) as $bpc) { | ||
19 | self::$sidHashes[$algo][$bpc] = self::genSidHash($algo, $bpc); | ||
20 | } | ||
21 | } | ||
22 | } | ||
23 | |||
24 | /** | ||
25 | * Generates a session ID for a given hash algorithm and bit representation | ||
26 | * | ||
27 | * @param string $function name of the hash function | ||
28 | * @param int $bits_per_character representation type | ||
29 | * | ||
30 | * @return string the generated session ID | ||
31 | */ | ||
32 | protected static function genSidHash($function, $bits_per_character) | ||
33 | { | ||
34 | if (session_id()) { | ||
35 | session_destroy(); | ||
36 | } | ||
37 | |||
38 | ini_set('session.hash_function', $function); | ||
39 | ini_set('session.hash_bits_per_character', $bits_per_character); | ||
40 | |||
41 | session_start(); | ||
42 | return session_id(); | ||
43 | } | ||
44 | |||
45 | /** | ||
46 | * Returns the reference hash array | ||
47 | * | ||
48 | * @return array session IDs generated for all available algorithms and bit | ||
49 | * representations | ||
50 | */ | ||
51 | public static function getHashes() | ||
52 | { | ||
53 | return self::$sidHashes; | ||
54 | } | ||
55 | } | ||