session: Deprecate session.sid_length and session.sid_bits_per_character (#15213)

RFC: https://wiki.php.net/rfc/deprecations_php_8_4

Author: TimWolla

NEWS

@@ -17,6 +17,10 @@ PHP                                                                        NEWS
 - Random:
   . lcg_value() is now deprecated. (timwolla)
 
+- Session:
+  . INI settings session.sid_length and session.sid_bits_per_character are now
+    deprecated. (timwolla)
+
 - Standard:
   . Unserializing the uppercase 'S' tag is now deprecated. (timwolla)
 

UPGRADING

@@ -446,6 +446,10 @@ PHP 8.4 UPGRADE NOTES
 - Session:
   . Calling session_set_save_handler() with more than 2 arguments is
     deprecated. Use the 2-parameter signature instead.
+  . Changing the INI settings session.sid_length and session.sid_bits_per_character
+    is deprecated. Update the session storage backend to accept 32 character
+    hexadecimal session IDs and stop changing these two INI settings.
+    RFC: https://wiki.php.net/rfc/deprecations_php_8_4
 
 - Standard:
   . Calling stream_context_set_option() with 2 arguments is deprecated.

ext/session/session.c

@@ -751,6 +751,9 @@ static PHP_INI_MH(OnUpdateSidLength) /* {{{ */
 	SESSION_CHECK_ACTIVE_STATE;
 	SESSION_CHECK_OUTPUT_STATE;
 	val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10);
+	if (val != 32) {
+		zend_error(E_DEPRECATED, "session.sid_length INI setting is deprecated");
+	}
 	if (endptr && (*endptr == '\0')
 		&& val >= 22 && val <= PS_MAX_SID_LENGTH) {
 		/* Numeric value */
@@ -771,6 +774,9 @@ static PHP_INI_MH(OnUpdateSidBits) /* {{{ */
 	SESSION_CHECK_ACTIVE_STATE;
 	SESSION_CHECK_OUTPUT_STATE;
 	val = ZEND_STRTOL(ZSTR_VAL(new_value), &endptr, 10);
+	if (val != 4) {
+		zend_error(E_DEPRECATED, "session.sid_bits_per_character INI setting is deprecated");
+	}
 	if (endptr && (*endptr == '\0')
 		&& val >= 4 && val <=6) {
 		/* Numeric value */

ext/session/tests/bug68063.phpt

@@ -22,5 +22,6 @@ var_dump(session_start());
 var_dump(session_id());
 ?>
 --EXPECTF--
+Deprecated: session.sid_length INI setting is deprecated in Unknown on line 0
 bool(true)
 string(40) "%s"

ext/session/tests/session_id_basic2.phpt

@@ -11,13 +11,13 @@ ob_start();
 
 echo "*** Testing session_id() : basic functionality ***\n";
 
-ini_set('session.sid_bits_per_chracter', 6);
+ini_set('session.sid_bits_per_character', 6);
 ini_set('session.sid_length', 120);
 session_start();
 var_dump(session_id());
 session_commit();
 
-ini_set('session.sid_bits_per_chracter', 4);
+ini_set('session.sid_bits_per_character', 4);
 ini_set('session.sid_length', 22);
 session_start();
 session_regenerate_id();
@@ -28,6 +28,12 @@ echo "Done";
 ?>
 --EXPECTF--
 *** Testing session_id() : basic functionality ***
+
+Deprecated: session.sid_bits_per_character INI setting is deprecated in %s on line %d
+
+Deprecated: session.sid_length INI setting is deprecated in %s on line %d
 string(120) "%s"
+
+Deprecated: session.sid_length INI setting is deprecated in %s on line %d
 string(22) "%s"
 Done

php.ini-development

@@ -1422,15 +1422,6 @@ session.cache_expire = 180
 ; https://php.net/session.use-trans-sid
 session.use_trans_sid = 0
 
-; Set session ID character length. This value could be between 22 to 256.
-; Shorter length than default is supported only for compatibility reason.
-; Users should use 32 or more chars.
-; https://php.net/session.sid-length
-; Default Value: 32
-; Development Value: 26
-; Production Value: 26
-session.sid_length = 26
-
 ; The URL rewriter will look for URLs in a defined set of HTML tags.
 ; <form> is special; if you include them here, the rewriter will
 ; add a hidden <input> field with the info which is otherwise appended
@@ -1456,18 +1447,6 @@ session.trans_sid_tags = "a=href,area=href,frame=src,form="
 ; Production Value: ""
 ;session.trans_sid_hosts=""
 
-; Define how many bits are stored in each character when converting
-; the binary hash data to something readable.
-; Possible values:
-;   4  (4 bits: 0-9, a-f)
-;   5  (5 bits: 0-9, a-v)
-;   6  (6 bits: 0-9, a-z, A-Z, "-", ",")
-; Default Value: 4
-; Development Value: 5
-; Production Value: 5
-; https://php.net/session.hash-bits-per-character
-session.sid_bits_per_character = 5
-
 ; Enable upload progress tracking in $_SESSION
 ; Default Value: On
 ; Development Value: On

php.ini-production

@@ -1424,15 +1424,6 @@ session.cache_expire = 180
 ; https://php.net/session.use-trans-sid
 session.use_trans_sid = 0
 
-; Set session ID character length. This value could be between 22 to 256.
-; Shorter length than default is supported only for compatibility reason.
-; Users should use 32 or more chars.
-; https://php.net/session.sid-length
-; Default Value: 32
-; Development Value: 26
-; Production Value: 26
-session.sid_length = 26
-
 ; The URL rewriter will look for URLs in a defined set of HTML tags.
 ; <form> is special; if you include them here, the rewriter will
 ; add a hidden <input> field with the info which is otherwise appended
@@ -1458,18 +1449,6 @@ session.trans_sid_tags = "a=href,area=href,frame=src,form="
 ; Production Value: ""
 ;session.trans_sid_hosts=""
 
-; Define how many bits are stored in each character when converting
-; the binary hash data to something readable.
-; Possible values:
-;   4  (4 bits: 0-9, a-f)
-;   5  (5 bits: 0-9, a-v)
-;   6  (6 bits: 0-9, a-z, A-Z, "-", ",")
-; Default Value: 4
-; Development Value: 5
-; Production Value: 5
-; https://php.net/session.hash-bits-per-character
-session.sid_bits_per_character = 5
-
 ; Enable upload progress tracking in $_SESSION
 ; Default Value: On
 ; Development Value: On