bef
commented
6 years ago Thank you for reporting the session encryption bug. It appears that this feature is not quite ready for production yet. As for disable_eval, it is possible, that eval still works when using backticks, $$-meta variables or similar methods. This feature was not properly tested yet.
The sessions encrypt works, except that it passes the session data without encryption when there are multiple concurrent requests to the script that starts the session, causing decrypting of unencrypted session data and hence the session is lost, if each request is done at a time then the encrypting works, if i disable session encrypt, then everything works perfectly.
with session_set_save_handler and simple handler that logs the calls to the session, you can easily replicate this issue.
i have also enabled eval by uncommenting 'suhosin.executor.disable_eval' https://github.com/sektioneins/suhosin7/blob/f24aa1084ee50d8e0e290b4e24b9dc236350cbe9/suhosin7.c#L298, it works fine, is there any reason for commenting it? and i am not sure if that is related to the issue above?
PHP v7.0.27, running latest nginx and php-fpm with an SSD HDD Thanks