Trying to use change algo in use on session IDs.
Posted: Tue Jan 18, 2011 6:35 pm
Hi all,
I'm developing an application for business use, security is not a do or die event but certainly want to build in security from the beginning.
The user base will rarely hit 40 simultaneous users so I am looking at using the SHA512 algo for the PHPSESSID, passwords, nonces.
Tried making the change, hit restart apache and nothing. Tried other algos and still nothing. Any ideas? I'm still getting a md5() session ID. sha512 and whirlpool both are in the hash_algos() array.
Running PHP 5.3.5, Apache22, Freebsd 8.1
[text]
session.save_handler = files
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = On
session.bug_compat_warn = On
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = whirlpool
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"[/text]
I'm developing an application for business use, security is not a do or die event but certainly want to build in security from the beginning.
The user base will rarely hit 40 simultaneous users so I am looking at using the SHA512 algo for the PHPSESSID, passwords, nonces.
Tried making the change, hit restart apache and nothing. Tried other algos and still nothing. Any ideas? I'm still getting a md5() session ID. sha512 and whirlpool both are in the hash_algos() array.
Running PHP 5.3.5, Apache22, Freebsd 8.1
[text]
session.save_handler = files
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = On
session.bug_compat_warn = On
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = whirlpool
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"[/text]