Generating Custom Session ID in PHP 5
Another one of my favorite questions from Zend PHP 5 Certification Mock Exam. Correct answer in bold.
If you would like to change the session ID generation function, which of the following is the best approach for PHP 5?
- Set the session.hash_function INI configuration directive
- Use the session_set_id_generator() function
- Set the session id by force using the session_id() function
- Use the session_regenerate_id() function
- Implement a custom session handler
Surprisingly, the most obvious answer, made sound like something not really reasonable, is the correct one. A few words of explanation.
And session_id() is the only one on the list allowing to set custom session id and definitely it is the correct answer.
How can I do this? PHP doesn't allows to redeclare functions
ReplyDeletedude you are Wrong! the correct answer would be "Use the session_regenerate_id() function"
ReplyDeletehttp://blogs.sans.org/appsecstreetfighter/2009/06/29/session-attacks-and-php-part-2/
ReplyDeletehttp://us.php.net/manual/en/function.session-regenerate-id.php
Hi jpablobr, thanks for the comment. As I see it, the question is about changing session generation algorithm and not about session attacks. I would hold the ground.
ReplyDeletesnowcore, the trick is to generate the id using your own algorithm and then force-set it using session_id().
ReplyDeletei guess the answer should be "Set the session.hash_function INI configuration directive"
ReplyDeletebecause the question is "If you would like to change the session ID generation function"
means changing "session ID generation function" and not the session ID
let me know your views
I believe samsami2u is correct. I had this same question in the PHP 5 mock exam. The question is asking how you 'change the session ID generation' which implys that you are required to change the built-in session ID generation, not provide your own session id.
ReplyDeleteHi guys, thanks for your comments.
ReplyDeleteI agree that the question itself is not very clear so there is some space for interpretation. I might be wrong with mine, it happens only too often. However, the question starts with "if you would like to change the session ID generation function" and I believe the key phrase here is "ID generation function". PHP allows for changing ID generation ALGORITHM (the discussed above session.hash_function) but the only way to change the ID generation FUNCTION is to create a function which generates the ID and then calls session_id() to set it.
I hope it makes more sense now.
Jacek
I would agree with you, Jacek. The hash setting simply changes the algo the existing function uses... but then again it is labeled "session.hash_FUNCTION" which further confuses the issue, though the docs say changing the hash function value merely "allows you to specify the hash algorithm used to generate the session IDs". If the correct answer really is changing the session.hash_function, then it is only proof as to why i hate written tests for something like programming, which should test your skills at implementing a solution and the elegance of that solution, not confuse you with badly worded and vague questions.
ReplyDeleteThere's no doubt about it that the question is as clear as mud. I had to re-read it a few times to get it into my cranium.
ReplyDeleteHowever, I think you are correct in your initial post Jacek.
Cheers for the post again.
Picco
My recommendation is to override the session handling with session_set_save_handler, then in the 'read' function, which is the first function call after session_start() check the length of the session_id, it defaults to 26 characters so if you make your custom ones say 40 chars long then you'll know if its a new session thats not been overridden yet by checking the length.
ReplyDeleteYou can then generate a random string for the session and pass it into session_id($new_id) like so before continuing your processing.
Sim
Erzurum
ReplyDeleteElazığ
Konya
Zonguldak
Eskişehir
S4H
Kocaeli
ReplyDeleteDenizli
Bursa
istanbul
Van
AVYWSE
Erzurum
ReplyDeleteistanbul
Ağrı
Malatya
Trabzon
Q2ECKK
ankara
ReplyDeletesakarya
tekirdağ
kastamonu
amasya
JZJ1
goruntulu show
ReplyDeleteücretli
D5V8O
whatsapp görüntülü show
ReplyDeleteücretli.show
İY6
Ağrı Lojistik
ReplyDeleteÇorlu Lojistik
Kars Lojistik
Antalya Lojistik
Rize Lojistik
LF1W4W
Maraş Lojistik
ReplyDeleteHatay Lojistik
Tokat Lojistik
Elazığ Lojistik
Aksaray Lojistik
QM72
99E01
ReplyDeleteNiğde Parça Eşya Taşıma
Karabük Lojistik
Tekirdağ Evden Eve Nakliyat
Ardahan Evden Eve Nakliyat
Artvin Evden Eve Nakliyat
58826
ReplyDeleteParibu Güvenilir mi
Karabük Evden Eve Nakliyat
Kırklareli Evden Eve Nakliyat
Kalıcı Makyaj
Urfa Evden Eve Nakliyat
1E1DC
ReplyDeleteYenimahalle Fayans Ustası
Ünye Boya Ustası
Elazığ Lojistik
Eskişehir Şehirler Arası Nakliyat
Tunceli Evden Eve Nakliyat
Kütahya Şehir İçi Nakliyat
Coin Nedir
Edirne Lojistik
Tekirdağ Fayans Ustası
63A19
ReplyDeleteOsmaniye Evden Eve Nakliyat
Ordu Lojistik
Mersin Şehirler Arası Nakliyat
Ünye Organizasyon
Ardahan Şehir İçi Nakliyat
Düzce Şehir İçi Nakliyat
Batman Lojistik
Aydın Parça Eşya Taşıma
Mamak Boya Ustası
B5667
ReplyDeletebuy steroid cycles
Eskişehir Evden Eve Nakliyat
dianabol methandienone
Aydın Evden Eve Nakliyat
buy sarms
order anapolon oxymetholone
order halotestin
buy pharmacy steroids
Nevşehir Evden Eve Nakliyat
D1D4D
ReplyDeleteMuğla Şehirler Arası Nakliyat
Uşak Lojistik
Samsun Lojistik
Tokat Şehir İçi Nakliyat
Silivri Çatı Ustası
Şırnak Lojistik
Çerkezköy Buzdolabı Tamircisi
Kütahya Şehir İçi Nakliyat
Bursa Şehirler Arası Nakliyat
C7296
ReplyDeleteSoundcloud Dinlenme Hilesi
Gate io Borsası Güvenilir mi
Dxgm Coin Hangi Borsada
Görüntülü Sohbet Parasız
Bitcoin Madenciliği Nedir
Kripto Para Nasıl Üretilir
Parasız Görüntülü Sohbet
Mexc Borsası Güvenilir mi
Dlive Takipçi Hilesi
17AAB
ReplyDeleteBinance Hesap Açma
Periscope Takipçi Satın Al
Btcst Coin Hangi Borsada
Trovo Takipçi Hilesi
Okex Borsası Güvenilir mi
Nonolive Takipçi Satın Al
Binance Referans Kodu
Binance Hesap Açma
Görüntülü Sohbet Parasız
6CA139F17C
ReplyDeletetürk beğeni satın al