diff options
| author | VirtualTam <virtualtam@flibidi.net> | 2015-09-03 23:12:58 +0200 |
|---|---|---|
| committer | VirtualTam <virtualtam@flibidi.net> | 2015-09-06 16:14:24 +0200 |
| commit | 68bc21353a6138a898724c8bb87684bb2b6b2c1c (patch) | |
| tree | 8c100e6ca4cba5870640cf3e0ec688b1f0fa7474 /tests/utils | |
| parent | a02257b8aed58ef2f8536c877ce2fb222f84ac40 (diff) | |
| download | Shaarli-68bc21353a6138a898724c8bb87684bb2b6b2c1c.tar.gz Shaarli-68bc21353a6138a898724c8bb87684bb2b6b2c1c.tar.zst Shaarli-68bc21353a6138a898724c8bb87684bb2b6b2c1c.zip | |
Session ID: extend the regex to match possible hash representations
Improves #306
Relates to #335 & #336
Duplicated by #339
Issues:
- PHP regenerates the session ID if it is not compliant
- the regex checking the session ID does not cover all cases
- different algorithms: md5, sha1, sha256, etc.
- bit representations: 4, 5, 6
Fix:
- `index.php`:
- remove `uniqid()` usage
- call `session_regenerate_id()` if an invalid cookie is detected
- regex: support all possible characters - '[a-zA-Z,-]{2,128}'
- tests: add coverage for all algorithms & bit representations
See:
- http://php.net/manual/en/session.configuration.php#ini.session.hash-function
- https://secure.php.net/manual/en/session.configuration.php#ini.session.hash-bits-per-character
- http://php.net/manual/en/function.session-id.php
- http://php.net/manual/en/function.session-regenerate-id.php
- http://php.net/manual/en/function.hash-algos.php
Signed-off-by: VirtualTam <virtualtam@flibidi.net>
Diffstat (limited to 'tests/utils')
| -rw-r--r-- | tests/utils/ReferenceSessionIdHashes.php | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/tests/utils/ReferenceSessionIdHashes.php b/tests/utils/ReferenceSessionIdHashes.php new file mode 100644 index 00000000..60b1c007 --- /dev/null +++ b/tests/utils/ReferenceSessionIdHashes.php | |||
| @@ -0,0 +1,55 @@ | |||
| 1 | <?php | ||
| 2 | /** | ||
| 3 | * Testing the untestable - Session ID generation | ||
| 4 | */ | ||
| 5 | class ReferenceSessionIdHashes | ||
| 6 | { | ||
| 7 | // Session ID hashes | ||
| 8 | protected static $sidHashes = null; | ||
| 9 | |||
| 10 | /** | ||
| 11 | * Generates session ID hashes for all algorithms & bit representations | ||
| 12 | */ | ||
| 13 | public static function genAllHashes() | ||
| 14 | { | ||
| 15 | foreach (hash_algos() as $algo) { | ||
| 16 | self::$sidHashes[$algo] = array(); | ||
| 17 | |||
| 18 | foreach (array(4, 5, 6) as $bpc) { | ||
| 19 | self::$sidHashes[$algo][$bpc] = self::genSidHash($algo, $bpc); | ||
| 20 | } | ||
| 21 | } | ||
| 22 | } | ||
| 23 | |||
| 24 | /** | ||
| 25 | * Generates a session ID for a given hash algorithm and bit representation | ||
| 26 | * | ||
| 27 | * @param string $function name of the hash function | ||
| 28 | * @param int $bits_per_character representation type | ||
| 29 | * | ||
| 30 | * @return string the generated session ID | ||
| 31 | */ | ||
| 32 | protected static function genSidHash($function, $bits_per_character) | ||
| 33 | { | ||
| 34 | if (session_id()) { | ||
| 35 | session_destroy(); | ||
| 36 | } | ||
| 37 | |||
| 38 | ini_set('session.hash_function', $function); | ||
| 39 | ini_set('session.hash_bits_per_character', $bits_per_character); | ||
| 40 | |||
| 41 | session_start(); | ||
| 42 | return session_id(); | ||
| 43 | } | ||
| 44 | |||
| 45 | /** | ||
| 46 | * Returns the reference hash array | ||
| 47 | * | ||
| 48 | * @return array session IDs generated for all available algorithms and bit | ||
| 49 | * representations | ||
| 50 | */ | ||
| 51 | public static function getHashes() | ||
| 52 | { | ||
| 53 | return self::$sidHashes; | ||
| 54 | } | ||
| 55 | } | ||