fix!: we force PHP defaults of session.sid_bits_per_character/session.sid_length

They are deprecated in PHP 8.4.

Author: kenjis

system/Session/Handlers/FileHandler.php

@@ -309,32 +309,25 @@ public function gc($max_lifetime)
 
     /**
      * Configure Session ID regular expression
+     *
+     * To make life easier, we force the PHP defaults. Because PHP9 forces them.
+     * See https://wiki.php.net/rfc/deprecations_php_8_4#sessionsid_length_and_sessionsid_bits_per_character
      */
     protected function configureSessionIDRegex()
     {
         $bitsPerCharacter = (int) ini_get('session.sid_bits_per_character');
-        $SIDLength        = (int) ini_get('session.sid_length');
-
-        if (($bits = $SIDLength * $bitsPerCharacter) < 160) {
-            // Add as many more characters as necessary to reach at least 160 bits
-            $SIDLength += (int) ceil((160 % $bits) / $bitsPerCharacter);
-            ini_set('session.sid_length', (string) $SIDLength);
-        }
-
-        switch ($bitsPerCharacter) {
-            case 4:
-                $this->sessionIDRegex = '[0-9a-f]';
-                break;
+        $sidLength        = (int) ini_get('session.sid_length');
 
-            case 5:
-                $this->sessionIDRegex = '[0-9a-v]';
-                break;
-
-            case 6:
-                $this->sessionIDRegex = '[0-9a-zA-Z,-]';
-                break;
+        // We force the PHP defaults.
+        if (PHP_VERSION_ID < 90000) {
+            if ($bitsPerCharacter !== 4) {
+                ini_set('session.sid_bits_per_character', '4');
+            }
+            if ($sidLength !== 32) {
+                ini_set('session.sid_length', '32');
+            }
         }
 
-        $this->sessionIDRegex .= '{' . $SIDLength . '}';
+        $this->sessionIDRegex = '[0-9a-f]{32}';
     }
 }

system/Session/Session.php

@@ -316,49 +316,25 @@ protected function configure()
     /**
      * Configure session ID length
      *
-     * To make life easier, we used to force SHA-1 and 4 bits per
-     * character on everyone. And of course, someone was unhappy.
-     *
-     * Then PHP 7.1 broke backwards-compatibility because ext/session
-     * is such a mess that nobody wants to touch it with a pole stick,
-     * and the one guy who does, nobody has the energy to argue with.
-     *
-     * So we were forced to make changes, and OF COURSE something was
-     * going to break and now we have this pile of shit. -- Narf
+     * To make life easier, we force the PHP defaults. Because PHP9 forces them.
+     * See https://wiki.php.net/rfc/deprecations_php_8_4#sessionsid_length_and_sessionsid_bits_per_character
      */
     protected function configureSidLength()
     {
-        $bitsPerCharacter = (int) (ini_get('session.sid_bits_per_character') !== false
-            ? ini_get('session.sid_bits_per_character')
-            : 4);
-
-        $sidLength = (int) (ini_get('session.sid_length') !== false
-            ? ini_get('session.sid_length')
-            : 40);
-
-        if (($sidLength * $bitsPerCharacter) < 160) {
-            $bits = ($sidLength * $bitsPerCharacter);
-            // Add as many more characters as necessary to reach at least 160 bits
-            $sidLength += (int) ceil((160 % $bits) / $bitsPerCharacter);
-            ini_set('session.sid_length', (string) $sidLength);
-        }
+        $bitsPerCharacter = (int) ini_get('session.sid_bits_per_character');
+        $sidLength        = (int) ini_get('session.sid_length');
 
-        // Yes, 4,5,6 are the only known possible values as of 2016-10-27
-        switch ($bitsPerCharacter) {
-            case 4:
-                $this->sidRegexp = '[0-9a-f]';
-                break;
-
-            case 5:
-                $this->sidRegexp = '[0-9a-v]';
-                break;
-
-            case 6:
-                $this->sidRegexp = '[0-9a-zA-Z,-]';
-                break;
+        // We force the PHP defaults.
+        if (PHP_VERSION_ID < 90000) {
+            if ($bitsPerCharacter !== 4) {
+                ini_set('session.sid_bits_per_character', '4');
+            }
+            if ($sidLength !== 32) {
+                ini_set('session.sid_length', '32');
+            }
         }
 
-        $this->sidRegexp .= '{' . $sidLength . '}';
+        $this->sidRegexp = '[0-9a-f]{32}';
     }
 
     /**