PHP 8.4 session.sid_length and session.sid_bits_per_character are deprecated

Problem/Motivation

The RFC https://wiki.php.net/rfc/deprecations_php_8_4#sessionsid_length_and_sess...

Symfony https://github.com/symfony/symfony/pull/57805

In other words changing the default values will either generate session IDs that raise eyebrows (4 bits per character with less than 32 characters or 5 bpc for less than 26 characters) or generate session IDs that are needlessly strong, increasing CPU costs, due to the additional randomness required, and increasing the chance for interoperability problems, such as the mod_security example.

For this reason we propose to deprecate the two INI settings in favor of the opinionated choice of the current defaults of a 32 character hexadecimal session ID.

The hexadecimal character set is not expected to cause any interoperability issues, as it is the most limited one of the currently available ones and hexadecimal identifiers are likely the most commonly used. While this would increase the length of the session ID from the previous minimum of 22 characters (which is a secure choice when combined with 6 bits per character) to 32, we do not expect this to be an issue in practice. The difference in traffic is minimal and a hexadecimal session ID is trivially packed into a 16 Byte binary string using hex2bin(), should storage requirements of the session backend be a concern.

Steps to reproduce

core$ git grep sid_length
core/assets/scaffold/files/default.services.yml:57:    sid_length: 48
core/core.services.yml:18:    sid_length: 48
core/lib/Drupal/Core/Session/SessionConfiguration.php:28:    // Provide sensible defaults for sid_length, sid_bits_per_character and
core/lib/Drupal/Core/Session/SessionConfiguration.php:32:      'sid_length' => 48,
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:269:  public function testConstructorDefaultSettings(array $options, int $expected_sid_length, int $expected_sid_bits_per_character, string $expected_name_suffix): void {
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:272:    $this->assertSame($expected_sid_length, $options['sid_length']);
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:286:      [['sid_length' => 100], 100, 6, ''],
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:289:      [['sid_length' => 100, 'sid_bits_per_character' => 5, 'name_suffix' => 'some-suffix'], 100, 5, 'some-suffix'],
sites/default/default.services.yml:57:    sid_length: 48

core$ git grep sid_bits_per_character
core/assets/scaffold/files/default.services.yml:66:    sid_bits_per_character: 6
core/core.services.yml:19:    sid_bits_per_character: 6
core/lib/Drupal/Core/Session/SessionConfiguration.php:28:    // Provide sensible defaults for sid_length, sid_bits_per_character and
core/lib/Drupal/Core/Session/SessionConfiguration.php:33:      'sid_bits_per_character' => 6,
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:269:  public function testConstructorDefaultSettings(array $options, int $expected_sid_length, int $expected_sid_bits_per_character, string $expected_name_suffix): void {
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:273:    $this->assertSame($expected_sid_bits_per_character, $options['sid_bits_per_character']);
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:287:      [['sid_bits_per_character' => 5], 48, 5, ''],
core/tests/Drupal/Tests/Core/Session/SessionConfigurationTest.php:289:      [['sid_length' => 100, 'sid_bits_per_character' => 5, 'name_suffix' => 'some-suffix'], 100, 5, 'some-suffix'],
sites/default/default.services.yml:66:    sid_bits_per_character: 6

Proposed resolution

discuss how to prevent using deprecated code

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet