Wednesday, July 1, 2009

Generating Custom Session ID in PHP 5

Another one of my favorite questions from Zend PHP 5 Certification Mock Exam. Correct answer in bold.
If you would like to change the session ID generation function, which of the following is the best approach for PHP 5?
  • Set the session.hash_function INI configuration directive
  • Use the session_set_id_generator() function
  • Set the session id by force using the session_id() function
  • Use the session_regenerate_id() function
  • Implement a custom session handler
Surprisingly, the most obvious answer, made sound like something not really reasonable, is the correct one. A few words of explanation.
And session_id() is the only one on the list allowing to set custom session id and definitely it is the correct answer.

11 comments:

  1. How can I do this? PHP doesn't allows to redeclare functions

    ReplyDelete
  2. dude you are Wrong! the correct answer would be "Use the session_regenerate_id() function"

    ReplyDelete
  3. http://blogs.sans.org/appsecstreetfighter/2009/06/29/session-attacks-and-php-part-2/

    http://us.php.net/manual/en/function.session-regenerate-id.php

    ReplyDelete
  4. Hi jpablobr, thanks for the comment. As I see it, the question is about changing session generation algorithm and not about session attacks. I would hold the ground.

    ReplyDelete
  5. snowcore, the trick is to generate the id using your own algorithm and then force-set it using session_id().

    ReplyDelete
  6. i guess the answer should be "Set the session.hash_function INI configuration directive"

    because the question is "If you would like to change the session ID generation function"
    means changing "session ID generation function" and not the session ID

    let me know your views

    ReplyDelete
  7. I believe samsami2u is correct. I had this same question in the PHP 5 mock exam. The question is asking how you 'change the session ID generation' which implys that you are required to change the built-in session ID generation, not provide your own session id.

    ReplyDelete
  8. Hi guys, thanks for your comments.
    I agree that the question itself is not very clear so there is some space for interpretation. I might be wrong with mine, it happens only too often. However, the question starts with "if you would like to change the session ID generation function" and I believe the key phrase here is "ID generation function". PHP allows for changing ID generation ALGORITHM (the discussed above session.hash_function) but the only way to change the ID generation FUNCTION is to create a function which generates the ID and then calls session_id() to set it.

    I hope it makes more sense now.

    Jacek

    ReplyDelete
  9. I would agree with you, Jacek. The hash setting simply changes the algo the existing function uses... but then again it is labeled "session.hash_FUNCTION" which further confuses the issue, though the docs say changing the hash function value merely "allows you to specify the hash algorithm used to generate the session IDs". If the correct answer really is changing the session.hash_function, then it is only proof as to why i hate written tests for something like programming, which should test your skills at implementing a solution and the elegance of that solution, not confuse you with badly worded and vague questions.

    ReplyDelete
  10. There's no doubt about it that the question is as clear as mud. I had to re-read it a few times to get it into my cranium.

    However, I think you are correct in your initial post Jacek.

    Cheers for the post again.

    Picco

    ReplyDelete
  11. My recommendation is to override the session handling with session_set_save_handler, then in the 'read' function, which is the first function call after session_start() check the length of the session_id, it defaults to 26 characters so if you make your custom ones say 40 chars long then you'll know if its a new session thats not been overridden yet by checking the length.

    You can then generate a random string for the session and pass it into session_id($new_id) like so before continuing your processing.

    Sim

    ReplyDelete