Trying to use change algo in use on session IDs.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
sockpuppet
Forum Newbie
Posts: 22
Joined: Tue Jan 18, 2011 8:38 am

Trying to use change algo in use on session IDs.

Post by sockpuppet »

Hi all,

I'm developing an application for business use, security is not a do or die event but certainly want to build in security from the beginning.

The user base will rarely hit 40 simultaneous users so I am looking at using the SHA512 algo for the PHPSESSID, passwords, nonces.

Tried making the change, hit restart apache and nothing. Tried other algos and still nothing. Any ideas? I'm still getting a md5() session ID. sha512 and whirlpool both are in the hash_algos() array.

Running PHP 5.3.5, Apache22, Freebsd 8.1

[text]
session.save_handler = files
session.use_cookies = 1
session.use_only_cookies = 1
session.name = PHPSESSID
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = On
session.bug_compat_warn = On
session.referer_check =
session.entropy_length = 0
session.entropy_file =
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = whirlpool
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"[/text]
Post Reply