Closed
Description
| Q | A |
|---|---|
| Bug report? | yes |
| Feature request? | no |
| BC Break report? | no |
| RFC? | no |
| Symfony version | all |
When ini session.sid_bits_per_character > 4, the session id can contain non-hex-characters which will be ignored by hexdec in
https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php#L586 making the lock key vulnerable to collisions. So somebody else could block your session. The same problem applies to the old session.hash_bits_per_character setting.
So we need a different algorithm to transform the session id to an integer.