Applies To

Zend Server 7.0.x, Zend Server 8.5.x, Zend Server 9.0.x 


Introduction

The session.hash_function directive was introduced with PHP 5 and is used to select a hash algorithm for the generation of session IDs. Originally, the possible options were '0' for MD5 (128 bits) and '1' for SHA-1 (160 bits). Since PHP 5.3, the session.hash_function setting was extended, allowing it to specify a number of algorithms by name, in addition to the original two options. The possible values of session.hash_function can be obtained using hash_algos():


    [0] => md4
    [1] => md5
    [2] => sha1
    [3] => sha256
    [4] => sha384
    [5] => sha512
    [6] => ripemd128
    [7] => ripemd160
    [8] => whirlpool
    [9] => tiger128,3
    [10] => tiger160,3
    [11] => tiger192,3
    [12] => tiger128,4
    [13] => tiger160,4
    [14] => tiger192,4
    [15] => snefru
    [16] => gost
    [17] => adler32
    [18] => crc32
    [19] => crc32b
    [20] => haval128,3
    [21] => haval160,3
    [22] => haval192,3
    [23] => haval224,3
    [24] => haval256,3
    [25] => haval128,4
    [26] => haval160,4
    [27] => haval192,4
    [28] => haval224,4
    [29] => haval256,4
    [30] => haval128,5
    [31] => haval160,5
    [32] => haval192,5
    [33] => haval224,5
    [34] => haval256,5


Symptoms

In the Zend Server UI, the session.hash_function selection is limited to a drop-down menu, only providing the original two options. This makes it impossible to use any other algorithms without having to deal with a warning message about a directive mismatch in the Zend Server UI.


Solution

To work around the problem, a change needs to be introduced in the following file:

On Linux / macOS/usr/local/zend/share/zend_extensions_map.json

On Windows: {Zend Server installation directory}\ZendServer\share\zend_extensions_map.json


Locate the following code:


"session.hash_function":{
                                "shortDescription":"Specify the hash algorithm used to generate the session IDs",
                                "type":3,
                                "section":"",
                                "visible":"1",
                                "units":"",
                                "validation":{
                                        "minValue":null,
                                        "maxValue":null,
                                        "regex":"",
                                        "listValues":"a:2:{i:0;s:14:\"MD5 (128 bits)\";i:1;s:16:\"SHA-1 (160 bits)\";}",
                                        "html":false,
                                        "email":false,
                                        "uri":false,
                                        "defaultServer":false,
                                        "allowempty":true,
                                        "host":false
                                }
                        },

Replace it with the following code:


"session.hash_function":{
                                "shortDescription":"Specify the hash algorithm used to generate the session IDs",
                                "type":1,
                                "section":"",
                                "visible":"1",
                                "units":"",
                                "validation":{
                                        "minValue":null,
                                        "maxValue":null,
                                        "regex":"",
                                        "listValues":"",
                                        "html":false,
                                        "email":false,
                                        "uri":false,
                                        "defaultServer":false,
                                        "allowempty":true,
                                        "host":false
                                }
                        },

Save and close the file. Then reload the Zend Server UI - session.hash_function will be a text field instead of a drop-down menu. You should now be able to set session.hash_function to any registered hash algorithm by entering its name in the text field.

hash_function.png