I’ve been using pattern recognition for the PHPSESSID as one of the methods to help identify false/invalid PHPSESSIDs coming from the browser.
So, I used this to detect a PHPSESSID:
if (!preg_match('©^[A-Za-z0-9]{32}$©', $_COOKIE['PHPSESSID'])) { //fake sessid } else { //valid sessid }
But now I see that PHP 5.2 spits out a string of 32 characters, but PHP 5.3 spits out a string of 26 characters. How can I specify the number of characters to make sure the code works for both versions of PHP?
Good point.
I removed the relevant code, but it caused problems when the PHPSESSID was blank, so I’ll just check for !empty().
The Session ID can be configured far more so then your little “test” checks for.
From my own php.ini:
; Select a hash function for use in generating session ids.
; Possible Values
; 0 (MD5 128 bits)
; 1 (SHA-1 160 bits)
; This option may also be set to the name of any hash function supported by
; the hash extension. A list of available hashes is returned by the hash_alogs()
; function.
; http://php.net/session.hash-function
session.hash_function = 1
; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
; Possible values:
; 4 (4 bits: 0-9, a-f)
; 5 (5 bits: 0-9, a-v)
; 6 (6 bits: 0-9, a-z, A-Z, "-", ",")
; Default Value: 4
; Development Value: 5
; Production Value: 5
; http://php.net/session.hash-bits-per-character
session.hash_bits_per_character = 6
But honestly, your “test” is superfluous. If the session ID is invalid or false it won’t match any existing session ID and won’t be used to any great extent. PHP already handles these things internally.