diff options
| author | Yasuo Ohgaki <yohgaki@php.net> | 2016-08-12 12:28:25 +0900 |
|---|---|---|
| committer | Yasuo Ohgaki <yohgaki@php.net> | 2016-08-12 12:31:02 +0900 |
| commit | 3467526a65bfb15eaf9ec49a0b5673b84e26bca4 (patch) | |
| tree | 8c689d3b2d69dc45f1b5331ef5e23b26009cb3f2 /UPGRADING | |
| parent | 1dab96c1db2d7c5663569d9c55f63d8e25a0dddc (diff) | |
| download | php-git-3467526a65bfb15eaf9ec49a0b5673b84e26bca4.tar.gz | |
Merge RFC: Session ID without hashing
https://wiki.php.net/rfc/session-id-without-hashing
Diffstat (limited to 'UPGRADING')
| -rw-r--r-- | UPGRADING | 31 |
1 files changed, 29 insertions, 2 deletions
@@ -89,6 +89,34 @@ PHP 7.1 UPGRADE NOTES - OpenSSL: . Dropped sslv2 stream. +- Session: + . Session ID is generated from CSPNG directly. As a result, Session ID length + could be any length between 22 and 256. Note: Max size of session ID depends + on save handler you are using. + . Following INIs are removed + . session.hash_function + . session.hash_bits_per_charactor + . session.entropy_file + . session.entropy_length + . New INIs and defaults + . session.sid_length (Number of session ID characters - 22 to 256. + (php.ini-* default: 26 Compitled default: 32) + . session.sid_bits_per_character (Bits used per character. 4 to 6. + php.ini-* default: 5 Compiled default: 4) + Length of old session ID string is determined as follows + . Used hash function's bits. + . session.hash_function=0 - MD5 128 bits (This was default) + . session.hash_function=1 - SHA1 192 bits + . Bits per character. (4, 5 or 6 bits per character) + . Examples + MD5 and 4 bits = 32 chars, ceil(128/4)=32 + MD5 and 5 bits = 26 chars, ceil(128/5)=26 + MD5 and 6 bits = 22 chars, ceil(128/6)=22 + SHA1 and 4 bits = 48 chars, ceil(192/4)=48 + SHA2 and 5 bits = 39 chars, ceil(192/5)=39 + SHA1 and 6 bits = 32 chars, ceil(192/6)=32 + and so on. + - Reflection: . The behavior of ReflectionMethod::invoke() and ::invokeArgs() has been aligned, what causes slightly different behavior than before for some @@ -280,8 +308,7 @@ PHP 7.1 UPGRADE NOTES . Custom session handlers that do not return strings for session IDs will now throw an instance of Error instead of resulting in a fatal error when a function is called that must generate a session ID. - . An invalid setting for session.hash_function will throw an instance of - Error instead of resulting in a fatal error when a session ID is created. + . Only CSPRNG is used to generate session ID. - SimpleXML: . Creating an unnamed or duplicate attribute will throw an instance of Error |