diff --git a/system/Session/Handlers/FileHandler.php b/system/Session/Handlers/FileHandler.php index 4dbec779526a..2b2425eb0458 100644 --- a/system/Session/Handlers/FileHandler.php +++ b/system/Session/Handlers/FileHandler.php @@ -309,32 +309,25 @@ public function gc($max_lifetime) /** * Configure Session ID regular expression + * + * To make life easier, we force the PHP defaults. Because PHP9 forces them. + * See https://wiki.php.net/rfc/deprecations_php_8_4#sessionsid_length_and_sessionsid_bits_per_character */ protected function configureSessionIDRegex() { $bitsPerCharacter = (int) ini_get('session.sid_bits_per_character'); - $SIDLength = (int) ini_get('session.sid_length'); - - if (($bits = $SIDLength * $bitsPerCharacter) < 160) { - // Add as many more characters as necessary to reach at least 160 bits - $SIDLength += (int) ceil((160 % $bits) / $bitsPerCharacter); - ini_set('session.sid_length', (string) $SIDLength); - } - - switch ($bitsPerCharacter) { - case 4: - $this->sessionIDRegex = '[0-9a-f]'; - break; + $sidLength = (int) ini_get('session.sid_length'); - case 5: - $this->sessionIDRegex = '[0-9a-v]'; - break; - - case 6: - $this->sessionIDRegex = '[0-9a-zA-Z,-]'; - break; + // We force the PHP defaults. + if (PHP_VERSION_ID < 90000) { + if ($bitsPerCharacter !== 4) { + ini_set('session.sid_bits_per_character', '4'); + } + if ($sidLength !== 32) { + ini_set('session.sid_length', '32'); + } } - $this->sessionIDRegex .= '{' . $SIDLength . '}'; + $this->sessionIDRegex = '[0-9a-f]{32}'; } } diff --git a/system/Session/Session.php b/system/Session/Session.php index 0aabcbe31d53..cf11e92f6274 100644 --- a/system/Session/Session.php +++ b/system/Session/Session.php @@ -316,49 +316,25 @@ protected function configure() /** * Configure session ID length * - * To make life easier, we used to force SHA-1 and 4 bits per - * character on everyone. And of course, someone was unhappy. - * - * Then PHP 7.1 broke backwards-compatibility because ext/session - * is such a mess that nobody wants to touch it with a pole stick, - * and the one guy who does, nobody has the energy to argue with. - * - * So we were forced to make changes, and OF COURSE something was - * going to break and now we have this pile of shit. -- Narf + * To make life easier, we force the PHP defaults. Because PHP9 forces them. + * See https://wiki.php.net/rfc/deprecations_php_8_4#sessionsid_length_and_sessionsid_bits_per_character */ protected function configureSidLength() { - $bitsPerCharacter = (int) (ini_get('session.sid_bits_per_character') !== false - ? ini_get('session.sid_bits_per_character') - : 4); - - $sidLength = (int) (ini_get('session.sid_length') !== false - ? ini_get('session.sid_length') - : 40); - - if (($sidLength * $bitsPerCharacter) < 160) { - $bits = ($sidLength * $bitsPerCharacter); - // Add as many more characters as necessary to reach at least 160 bits - $sidLength += (int) ceil((160 % $bits) / $bitsPerCharacter); - ini_set('session.sid_length', (string) $sidLength); - } + $bitsPerCharacter = (int) ini_get('session.sid_bits_per_character'); + $sidLength = (int) ini_get('session.sid_length'); - // Yes, 4,5,6 are the only known possible values as of 2016-10-27 - switch ($bitsPerCharacter) { - case 4: - $this->sidRegexp = '[0-9a-f]'; - break; - - case 5: - $this->sidRegexp = '[0-9a-v]'; - break; - - case 6: - $this->sidRegexp = '[0-9a-zA-Z,-]'; - break; + // We force the PHP defaults. + if (PHP_VERSION_ID < 90000) { + if ($bitsPerCharacter !== 4) { + ini_set('session.sid_bits_per_character', '4'); + } + if ($sidLength !== 32) { + ini_set('session.sid_length', '32'); + } } - $this->sidRegexp .= '{' . $sidLength . '}'; + $this->sidRegexp = '[0-9a-f]{32}'; } /**