sektioneins / suhosin7

Suhosin Extension for PHP 7.x
https://www.suhosin.org
Other
120 stars 25 forks source link

Session encrypt issue #21

Open n-for-all opened 6 years ago

n-for-all commented 6 years ago

The sessions encrypt works, except that it passes the session data without encryption when there are multiple concurrent requests to the script that starts the session, causing decrypting of unencrypted session data and hence the session is lost, if each request is done at a time then the encrypting works, if i disable session encrypt, then everything works perfectly.

with session_set_save_handler and simple handler that logs the calls to the session, you can easily replicate this issue.

i have also enabled eval by uncommenting 'suhosin.executor.disable_eval' https://github.com/sektioneins/suhosin7/blob/f24aa1084ee50d8e0e290b4e24b9dc236350cbe9/suhosin7.c#L298, it works fine, is there any reason for commenting it? and i am not sure if that is related to the issue above?

PHP v7.0.27, running latest nginx and php-fpm with an SSD HDD Thanks

bef commented 6 years ago

Thank you for reporting the session encryption bug. It appears that this feature is not quite ready for production yet. As for disable_eval, it is possible, that eval still works when using backticks, $$-meta variables or similar methods. This feature was not properly tested yet.