8000 PdoSessionHandler: advisory lock for pgsql not safe for session.sid_bits_per_character > 4 · Issue #24095 · symfony/symfony · GitHub
[go: up one dir, main page]

Skip to content
PdoSessionHandler: advisory lock for pgsql not safe for session.sid_bits_per_character > 4 #24095
Closed
@Tobion

Description

@Tobion
Q A
Bug report? yes
Feature request? no
BC Break report? no
RFC? no
Symfony version all

When ini session.sid_bits_per_character > 4, the session id can contain non-hex-characters which will be ignored by hexdec in
https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php#L586 making the lock key vulnerable to collisions. So somebody else could block your session. The same problem applies to the old session.hash_bits_per_character setting.
So we need a different algorithm to transform the session id to an integer.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      0