Hi Leigh,
On Fri, Aug 12, 2016 at 8:07 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> $encoded = base64_encode(ini_get('session.sid_length')*2);
> // Use same charset as PHP
> $sid = substr(rtrim(strtr($encoded, '+/', ',-'), '='), 0,
> ini_get('session.sid_length');
I've missed to handle session.hash_bits_per_character here. There are
people validating SID (used chars and length) via WAF or PHP code.
session.hash_bits_per_character handling is mandatory for such system.
Implementing things properly and precisely is not easy :)
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
