Can I verify what algo php session hashing is using?

Question

I'm trying to make sure I'm using sha512 for session hashing. When I print out my algos I get

Array
(
[0] => md2
[1] => md4
[2] => md5
[3] => sha1
[4] => sha224
[5] => sha256
[6] => sha384
[7] => sha512 
[8] => ripemd128
etc....
)

So in php.ini I set it like,

session.hash_function = 7

The only reason i'm confused is that in the .ini file it lists hashing schemes differently than what php prints, for example 0 as md5 not md2.

; Select a hash function
; 0: MD5   (128 bits)
; 1: SHA-1 (160 bits)

Is this just the default hashing schemes for maybe an older php version or something?

Answer 1

0 and 1 are the only numeric values that are actually documented:

session.hash_function allows you to specify the hash algorithm used to generate the session IDs. '0' means MD5 (128 bits) and '1' means SHA-1 (160 bits).

If you want to leverage other algorithms:

Since PHP 5.3.0 it is also possible to specify any of the algorithms provided by the hash extension (if it is available), like sha512 or whirlpool. A complete list of supported algorithms can be obtained with the hash_algos() function.

I admit it's not clearly expressed, but the definition of the directive states that its argument is of mixed type. It expects either an integer (for MD5 and SHA-1 only) or the name (string) of the algorithm as returned by hash_algos(). (Incidentally, that also means that there're two ways to specify MD5 and SHA-1.) Developers changed their mind when new algorithms were added but kept backwards compatibility.

I've tried this code and I got a huge session ID:

ini_set('session.hash_function', 'whirlpool');

Answer 2

hash_algos() returns an array of Strings of all available algorithms and therefore is not suitable as argument for the ini-setting "session.hash-function". Just try to set your prefered algorithm as string instead of '0' or '1'.

Answer 3

setting the hash function as a string works

session.hash_function = sha512