As of PHP 8.4, the session.sid_length and session.sid_bits_per_character INI settings have been deprecated. These settings previously allowed developers to configure the length and randomness of session IDs, but after a review of their usage and potential risks, they are being replaced by a more standardized and secure default configuration.
Details and Impact
Previously, developers could configure the session ID length (session.sid_length) and the number of bits per character (session.sid_bits_per_character) to control the security level of session IDs. However, there were notable drawbacks to this flexibility:
- Configuring the session ID with 4 bits per character and a length of fewer than 32 characters resulted in weak session IDs that could raise security concerns.
- Configurations with a higher number of bits per character, such as 5 bits, generated unnecessarily long and strong session IDs, leading to an increase in CPU costs and potential interoperability issues (e.g., with mod_security).
PHP 8.4 has introduced a new standardized approach to address these issues. Session IDs will now default to a 32-character hexadecimal string. This change offers the following benefits:
- Interoperability: The hexadecimal character set is widely supported and less likely to cause conflicts.
- Security: A fixed 32-character session ID ensures a secure level of randomness.
- Efficiency: The difference in traffic overhead between shorter and longer session IDs is negligible, and hexadecimal session IDs can be efficiently stored as 16-byte binary strings if storage is a concern.
Impact on existing sites
Drupal developers using PHP 8.4 should be aware that any reliance on custom session ID configurations using session.sid_length or session.sid_bits_per_character will need to be updated. Drupal core and contributed modules that manage session behavior should review their code to ensure compatibility with the new defaults.
Recommended Actions
- Remove any custom configurations: If your Drupal setup modifies
session.sid_lengthorsession.sid_bits_per_character, these configurations should be removed as they are now deprecated and will no longer have an effect in PHP 8.4. - Test compatibility: Ensure that your session management works as expected under the new default 32-character hexadecimal session ID.
- Monitor performance: Although the increase in session ID length may lead to marginal traffic increases, the impact should be minimal in practice.
Conclusion
With PHP 8.4, session ID generation has been standardized to improve security, reduce complexity, and enhance interoperability. Drupal developers should update their session management strategies to align with these changes and ensure smooth operation as PHP evolves.
